We #StandWithUkraine, find out how to help here.
Last updated: 16.08.19

No Deal Brexit: How would this affect GDPR in the UK?

It’s been a long two years since the fateful vote that set the UK on the path to leaving the European Union. In that time, we’ve had buses, promises, protests and enough debates to fuel a hundred general elections.

The seemingly endless stand-off between those who want a withdrawal deal with the EU and those who are pursuing a no-deal scenario is expected to come to a head in October 2019, when the UK is anticipated to leave the union. With the no-deal scenario on a possible horizon, all manner of questions have been raised across almost every industry sector in the country.

In this blog, we’re going to look at the no-deal repercussions for one of the most significant pieces of business legislation in the last decade: GDPR.

What is the GDPR?

Anyone who works for a business, and many who do not, will have some awareness of GDPR. The acronym stands for General Data Protection Regulation, and it was implemented on the 25th of May 2018. In a broad sense, the regulation is designed to ensure that companies safeguard and do not abuse data collected about subjects, or people who submit their data.

This includes such stipulations as requiring consent for data processing, securely handling the data, ceasing processing according to subject request and much more. It is widely regarded as a positive and necessary step to protecting the privacy of people using various services and platforms, particularly in the age of the internet.

GDPR and No-Deal Brexit

The situation with regards to GDPR and a no-deal Brexit is somewhat complicated.

With the UK still in the EU until October, GDPR is still directly applicable in all cases. This means that all companies operating in the UK must still comply with GDPR regulations as they have done since the law was implemented.

If the UK leaves the EU with no withdrawal agreement (a no-deal Brexit), then as per the EU Withdrawal Act of 2018, the regulations of GDPR would still need to be upheld. This withdrawal act sees much of direct EU legislation assumed into UK law, and since the GDPR is direct EU legislation, then this act would apply.

GDPR as it stands has many references and stipulations which refer to other EU law, and when Brexit officially happens, the government will be making some changes to the regulation and other data protection acts to ensure that the UK protection procedures remain as robust and efficient as possible. These changes will be made with the powers granted by the EU withdrawal act and will aim to preserve the same privacy set by the original GDPR. They will also facilitate the easy data flow from UK to Europe by recognising European Economic Arena nations as ‘adequate’.

How to prepare

With all the uncertainty facing Brexit, in particular the impact of a no-deal Brexit, it is very hard to prepare for most parts of corporate life. With the already complicated nature of privacy law, GDPR is one of the most difficult elements to plan for, and as such one of the best ways is to keep an eye on the news and other business channels for updates. The anticipated changes set to be produced under the EU withdrawal agreement should be of particular note, since they should represent the most substantial changes to the GDPR as we know it.


Does Brexit affect GDPR?

The extent and nature of Brexit remains unclear, but UK data protection law will remain in place and the government will apply GDPR principles when leaving the EU, so very little is likely to change in terms of compliance. For companies dealing with data from EU citizens, GDPR will still apply.

Does GDPR cover deceased?

No, information about somebody who is deceased is not covered by GDPR because it is not classed as personal data.

How long should personal data be kept GDPR?

There are no specific limitations for how long data should be kept under GDPR, but the guidance is that it should be kept no longer than is necessary.

Is GDPR replacing DPA?

GDPR didn’t replace the Data Protection Act, which was renewed in 2018 and covers areas not already covered by GDPR, including national security and immigration matters.

Check out our full range of FAQs. Click Here to view.

Related resources