Brexit and the GDPR

How does Brexit impact on British companies having to comply with GDPR? It doesn’t really. Well, okay, maybe a tiny bit…

The GDPR is an EU Regulation, which means that if you’re one of the 28 EU member states (as the UK is) then when the regulation came into effect on 25th May 2016, by definition it became law. We’re currently in the transition period before the law is enforced on 25th May 2018, but the GDPR is officially part of UK law right now (Feb 2017). So yes, whatever happens in the future, compliance is required.

Assuming the UK does leave the EU on a particular date, e.g. 1st Jan 2019, at that point the EU laws that are part of UK law get “repealed” in the “Great Repeal Bill”. The reality is that few, if any, will get removed, but will instead be converted into UK law verbatim. So at this point, the EU GDPR will not be in UK law, but a mirror image of it will be. Let’s call this new law “Data Protection Act 2” (DPA2).

So 1st Jan 2019, anyone interfacing with British residents, e.g. UK businesses, will now have two sets of regulation to comply to, DPA2 and GDPR for anyone EU touching entities (which is everyone). The UK Government has committed to DPA2 as being exactly the same as GDPR on day one, but the reality is that these two laws will diverge over time. As EU and UK parliaments amend their priorities, aspirations and objectives, their regulations will change too, so by the time we get to 2020 and beyond we’ll start to see some differences emerging.

Once the UK is outside of the EU, for it to be seen as a trusted party for EU members, an “adequacy” ruling will need to be made. This is where the EU agrees that the UK can be trusted as much as any EU member and its Government won’t break the privacy of its residents’ personal data. This is a thorny subject for the UK, since the EU have already shown issue with the surveillance inside the UK’s Investigatory Powers Act. The reality is that just like the US, the EU and the UK will find a way to be seen as an adequate partner and for data flows to carry on being compliant inside the GDPR. Politicians and lawyers will have their meetings, arguments and court cases, but the end result will be the same. It can’t not be.


Brexit will affect Data Protection Laws in the UK, by definition, but only by a tiny amount in 3 or 4 years time. The reality is that from now and for the foreseeable future, GDPR is where it’s at. Brexit isn’t really going to change anything. GDPR is in UK law and compliance is a must.

Carl Gottlieb

Carl Gottlieb is the privacy lead and Data Protection Officer for a select group of leading tech companies. Carl’s consultancy company Cognition provides a range of privacy and security services including virtual DPO and virtual CISO.