One of the first questions asked by British organisations in relation to the General Data Protection Regulation is whether it still applies after Brexit. Obviously, the appeal of a “do nothing” card is strong! This article lays out the position as known at the time of writing.

On the 23rd June 2016, a slim majority of the people in the UK voted to leave the European Union. On 29 March 2017, the British Prime Minister, Theresa May MP, triggered the formal process for leaving the EU by invoking Article 50 of the Treaty on European Union. This allows for a time period of two years, from the trigger date, to the point when the UK leaves the European Union.

The UK government’s approach to the process of leaving the EU is to acknowledge that reaching a full agreement is not possible during the to year period (some trade deals can take a decade to agree!) and negotiate a transition period during which final negotiations will take place about the future relationship with the EU.

The UK government has been clear that Brexit will not prevent or affect the implementation of the GDPR regulation on the 25th May 2018. Individuals and organisations should work on the understanding that the GDPR will apply in the medium term whilst the UK remains in the EU and through any transition periods.

However, depending on the nature of the final Brexit arrangement, it is possible that the regulatory and legal framework will change in the future. If the talks fail, unless the UK Data Bill is revoked, the provisions of the GDPR will still apply in the UK.

One the UK leaves the EU, it should be noted that the EU will be forced to treat the UK as a “third country” and will expect equivalent protections if data is to be shared freely between the jurisdictions.

It is likely that, as a third party, the UK will need to achieve a formal adequacy decision to allow data transfers to occur and therefore will need to be GDPR compliant. Since the UK will already be operating under the GDPR when the transition period comes to an end, the likely way the UK will seek an adequacy decision will be by keeping most if not all of the GDPR in place.

If you found this article useful and want to know more about the general nature of the GDPR, you should consider our course "GDPR - The Basic Facts" which introduces the key features of the GDPR in just under one hour of lectures.