This website uses cookies. View our cookie policy
Close
United Kingdom
Select regional store:

UK data protection law and Brexit: the EU GDPR, the UK DPA 2018, the applied GDPR and the UK GDPR

The nature of the UK’s future relationship with the EU remains vague, leaving organisations in the UK uncertain about what the future will hold.

This page explains what we know so far about Brexit’s effect on data protection law in the UK, and how it will affect personal data transfers to third countries or international organisations, including transfers that rely on the EU-US Privacy Shield.

It will be updated as and when new information becomes available.

Speak to one of our experts

If you need guidance on how Brexit will affect your data protection obligations, get in touch with one of our experts.


1. Data protection law in the UK before Brexit

UK organisations that process personal data are currently bound by two laws: the EU GDPR (General Data Protection Regulation) and the UK DPA (Data Protection Act) 2018.

The EU GDPR entered into force on 24 May 2016, before the UK’s referendum on EU membership. Following a two-year transition period, the Regulation took effect on 25 May 2018, superseding the EU’s Data Protection Directive (DPD) 1995 and all member state law that implemented it – including the UK DPA 1998.

Although it applies directly in member states with all the force of a domestic law, the EU GDPR leaves certain areas to individual member states to interpret and implement. In the UK, this is achieved by Part 2, Chapter 2 of the DPA 2018, which should be read alongside the Regulation.

As well as modifying the EU GDPR, the DPA 2018 applies a broadly similar regime of data protection – known as “the applied GDPR” – to certain areas that fall outside the EU GDPR’s scope, including processing by public authorities.

It also sets out data processing regimes for law enforcement purposes and the intelligence services.

Find out more about the EU GDPR >>

Find out more about the DPA 2018 >>


2. Data protection law in the UK after Brexit: the UK General Data Protection Regulation

Although the EU GDPR will no longer apply directly in the UK once it leaves the EU, UK organisations must still comply with the Regulation’s requirements.

First, the DPA 2018 already enacts the EU GDPR’s requirements in UK law.

Second, as part of its contingency planning for a no-deal Brexit, the UK government has issued a draft statutory instrument – the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 – under the European Union (Withdrawal) Act 2018.

This amends the DPA 2018 to replace its references to EU laws, institutions, currency and the like with British equivalents, and combines the applied GDPR (Part 2, Chapter 3 of the DPA 2018) with the provisions of the EU GDPR (as amended by Part 2, Chapter 2 of the DPA 2018) to form a data protection regime that will work in a UK context.

This new regime will be known as ‘the UK GDPR’.

The draft Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 also provide that transfers of personal data from the UK to the US that rely on the EU-US Privacy Shield can continue from 29 March 2019 in the event of a no-deal Brexit. See Post-Brexit cross-border data transfers, below, for more information.

There is very little material difference between the EU GDPR and the proposed UK GDPR, so organisations that process personal data should continue to comply with the EU GDPR.

When the UK GDPR comes into force will depend on the nature of the UK’s exit from the EU:

  • Deal/soft Brexit

    If the UK leaves the EU with a deal, the EU GDPR will – like all other EU regulations – continue to apply in the UK until the end of the transition period (currently set at 31 December 2020).

    From this point, the UK GDPR will apply, either in the form created by the draft Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 or in another form created by as-yet-undrafted secondary legislation.

  • No deal/hard Brexit

    If there is a hard Brexit and the UK leaves the EU without a deal, there will be no transition period, so the EU GDPR will cease to apply in the UK on exit day (29 March 2019).

    At this point, the UK GDPR, in the form created by the draft Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, will apply.

    If no withdrawal agreement is reached, the UK will be classified as a third country on exit day and UK organisations that process personal data on behalf of EU data controllers will need to rely on other measures – such as standard contractual clauses or binding corporate rules – to transfer personal data from the EEA until an adequacy decision is reached. This is discussed in greater depth below.

In either scenario, the EU GDPR’s requirements as implemented by Parts 3 and 4 of the DPA 2018 will continue to apply for law enforcement and intelligence purposes.


Post-Brexit cross-border data transfers

In order for cross-border data flows from the EEA to the UK to continue unhindered after Brexit, the European Commission will need to determine that the UK, as a third country, offers personal data an adequate level of protection via an adequacy decision as per Article 45 of the EU GDPR.

The UK hopes that, by enacting the EU GDPR’s requirements in domestic law it should be able to demonstrate that it will continue to enforce international data protection requirements after it leaves the EU.

To date, the Commission has adopted 12 adequacy decisions: with Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (for companies certified under the EU-US Privacy Shield). An adequacy decision with Japan is in the process of being adopted and talks with South Korea are ongoing.

  • Deal/soft Brexit

    If there is a deal, both the EU and UK hope to complete the adequacy decision process within the transition period, although it is worth noting that there is significant time pressure: the last third country to strike such a deal with the EU was New Zealand, and that process took about four years.

  • No deal/hard Brexit

    If there is no deal and therefore no transition period, the UK government has confirmed that it will continue to allow the free flow of personal data to the EU “in recognition of the unprecedented degree of alignment between the UK and the EU’s data protection regimes”.

    However, organisations in the UK will have to rely on binding corporate rules or standard contractual clauses to transfer personal data from organisations in the EEA until an adequacy decision is reached. (The EU GDPR also makes provision for personal data to be transferred to third countries based on approved codes of conduct – such as the EU-US Privacy Shield – but no such code has been agreed for transfers from the EEA to the UK yet.)

    Infringements of the EU GDPR’s requirements for transferring personal data to third countries or international organisations are subject to the higher level of administrative fines: up to €20 million or 4% of annual global turnover – whichever is higher.

    Prudent organisations that process EU residents’ personal data will therefore be putting measures in place now in order to ensure they continue to comply with the law after 29 March in the case of a no-deal Brexit.

    The Information Commissioner’s Office has published guidance and resources for organisations after Brexit >>

    As to transfers of personal data to the US, the draft Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 make provision to preserve the effect of the EU-US Privacy Shield in the UK in the event of a no-deal Brexit.

    The US Department of Commerce has published guidance for US Privacy Shield organisations on how personal data can continue to flow from the UK to the US in a no-deal scenario >>

We will update this page with further information once the nature of the UK’s withdrawal from and future relationship with the EU become clearer.

Last updated: February 2019


Speak to an expert

If you need guidance on how Brexit will affect your data protection obligations, get in touch with one of our experts.