Post Brexit GDPR for UK Businesses

Post Brexit GDPR for UK Businesses

Share with your network!
Post Brexit GDPR for UK Businesses


UK Prime Minister Boris Johnson has revealed in a statement to the House of Commons that one of the early changes to UK policy could be developing independent data protection legislation.

As per Teiss reporting, it’s not apparent whether an independent data protection policy would change 2018’s Data Protection Act which aligns with GDPR. Prime Minister Johnson said:

“The UK will in future develop separate and independent policies in areas such as (but not limited to) the points-based immigration system, competition and subsidy policy, the environment, social policy, procurement, and data protection, maintaining high standards as we do so.”

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series


No change for GDPR compliance until the end of 2020

Days before Prime Minister Johnson’s statement the Information Commissioner’s Office (ICO) confirmed that it is “business as usual for data protection,” until the Brexit transition period completes at the end of 2020. The ICO says:

“GDPR will continue to apply. Businesses and organisations that process personal data should continue to follow our existing guidance for advice on their data protection obligations. During the transition period, companies and organisations that offer goods or services to people in the EU do not need to appoint a European representative.”

The ICO’s role won’t change for now, but the organisation confirms there are unknowns for the future of data protection adding:

“The ICO will continue to act as the lead supervisory authority for businesses and organisations operating in the UK. It is not yet known what the data protection landscape will look like at the end of the transition period and we recognise that businesses and organisations will have concerns about the flow of personal data in future.”


Post-Brexit Data Protection

Cameron Abbot and Michelle Aggromito of international law firm K&L Gates explain some of the legalities of the future of GDPR and data protection, from their perspective, in an article at The National Law Review. They write:

“There will be little change during the transition (also known as “implementation”) period that is expected to end on 31 December 2020. During this period, EU law will continue to apply in the UK, including the EU General Data Protection Regulation (GDPR), after which the GDPR will be converted into UK law.”

They say that the UK will become a “third country,” just like the US, Canada or China, as far as GDPR is concerned. That is of course “assuming all goes to plan (which is almost impossible where Brexit is concerned).”

For data flowing in and out of the UK, the authors say:

“The UK Government has acknowledged that it will recognise all EEA countries under its own adequacy ruling and incorporate all existing EU adequacy decisions. This will allow organisations within the EU to continue facilitate data transfers from the UK to these countries.”

Adequacy refers to whether a “third country,” outside of GDPR is accepted as having adequate and equivalent data protection to the GDPR, and for the safe exchange or transmission of data between countries. The authors continue:

“GDPR restrictions will apply to personal data being transferred into the UK unless the EU establishes that the UK is an “adequate” country. This will require the European Commission to assess and approve the UK for adequacy. This is unlikely to get across the line by this time and so organisations should ensure that they have implemented appropriate safeguards for inbound data transfers, such as adopting the EU’s standard contractual clauses in its arrangements with EU based entities.”

Lastly in the article’s points:

“Organisations based in both the UK and the EU will need to update their privacy notices to reflect the change in status.”

The authors, in the text published on February 5, conclude:

“The UK Government has said that it plans to continue GDPR post the transition period and so organisations should maintain their compliance on that basis. However, if Brexit has taught us one thing, it’s that we can never be certain.”

UK companies should continue to work to GDPR, while thoroughly monitoring and investigating how Brexit will impact data protection laws over time and how they should operate, as well as taking expert or legal advice if necessary.

Globally, data protection legislation is developing and countries outside of the EU are proposing comparable laws to GDPR. Eventually, these emerging laws will hopefully complement each other and an international standard for data protection may emerge in the future.


Interested in learning more about how security awareness training can help your organisation? Sign up for a free demo of the world’s most interactive security awareness training.