Articles | Data Protection & Brexit – What are the implications?

Brexit means Brexit but what does it mean for data protection in the UK once we leave the EU?


1 London Street,

+44 (0)118 951 6200


Cathrine Ripley

Cathrine Ripley

Whilst it has been confirmed that UK will be implementing the General Data Protection Regulation (GDPR) in 2018, uncertainty remains around what reforms, if any, will happen to the UK’s data protection law once we leave the EU.

The UK’s data protection regime will depend on its future relationship with the EU, with broadly three scenarios likely:

Option 1
The UK remains part of the European Economic Area (EEA) and is a member of the European Free Trade Association (EFTA). As with Norway, the UK would have access to the single market and its businesses would be able to receive personal data freely from those in EU member states by adopting the standards of the GDPR and paying contributions to the EU.

Option 2
The UK remains a member of EFTA but is no longer part of the EEA. As with Switzerland, the UK would have to access the benefits of the single market through bilateral agreements. To adopt this model would require laws equivalent to the GDPR in order to obtain an adequacy decision (a decision from the European Commission that confirms the UK adequately protects the rights of EU citizens).

Unfortunately for businesses, achieving an adequacy decision can take months, if not years, and is unlikely to be high on the European Commission’s agenda. Additionally, given the unwanted revelations, post Snowden, of the UK’s involvement in mass surveillance of civilians, it may in practice prove difficult to obtain.

Option 3
The UK develops its own relationship with the EU either individually or through an organisation, as with the US and Canada. In this scenario, the UK would have the freedom of being able to diverge its data laws form the GDPR, perhaps relaxing them in order to make them more business friendly.

However, if this is the case, it is less likely an adequacy decision will be forthcoming and therefore to transfer data legally other, less attractive, options would need to be considered such as:

  • a data sharing arrangement with the EU (similar to the EU-US Privacy Shield arrangement); or
  • the use of binding corporate rules or EU model contract clauses by businesses, however these have proven to be highly time consuming and costly.

What does this mean for UK businesses?

UK businesses should be taking all appropriate steps to comply with the GDPR. The 12 step guide produced by the Information Commissioner’s Office is particularly helpful in beginning this task. Whilst the future is uncertain, it is widely agreed that compliance with the GDPR is the best way of future proofing a business no matter what the UK’s data regime ends up looking like in the future.