GDPR after Brexit

21st December 2020 Commercial Litigation

As we approach the proposed date for departure from the EU one of the many areas that is uncertain is the status of the GDPR and data protection law.

As the UK leaves the EU it no longer falls within the GDPR. However, the Data Protection Act 2018 effectively enshrines the GDPR in UK regardless of our status within the EU. So the GDPR will continue in place regardless. However, there will be substantial difficulties for any UK business seeking to handle the data of citizens of EU countries post-GDPR. This is because, even though the UK will be complying with the GDPR itself, it is no longer in the EU and so it not automatically a trusted data handler. Therefore companies will have to ensure they have appropriate GDPR representatives in the EU and will need to think about the manner in which they transfer data from the EU to the UK rather than simply being able to do so freely as they could before.

The Prime Minister has suggested that the UK will move to have its own data protection regime in future. However, such an approach would be likely to be hugely counter-productive. This is because the GDPR has extra-territorial applicability. In other words, it applies to anyone processing the data of EU citizens, regardless of where they are in the world. This would mean that if the UK had its own, alternative, data protection regime, many UK businesses would need to comply with that regime and with the GDPR. This would simply increase regulatory cost to little practical advantage and would probably mean that many businesses would simply seek to comply with whichever regime was the most onerous, probably the GDPR. It is also worth remembering that there are other jurisdictions who have data protection regimes that apply to any processing of their citizens data, regardless of where it happens. California is one such example and India is working on something similar. Therefore, there is little value in a UK-only data protection regime that is not at least as stringent as the main regimes that UK business is likely to comply with. Practically, business does not just require a compatible regime but an agreement with other regimes that our regime is equivalent and so is deemed as automatic compliance with that regime. In other words the UK government needs to negotiate an arrangement with the EU that gives UK businesses the same benefits they had in relation to the GDPR as they had when we were inside the EU. Ideally, a similar arrangement needs to be made with California.

Representative bodies could also assist by creating codes of practice and accreditations that the ICO could approve to demonstrate GDPR compliance. They could then work to get these recognised by overseas bodies to allow business to quickly show strong data protection standards to businesses inside the EU.

For the immediate future the data protection regime for UK business will be an uncertain one. Compliance with the GDPR will remain critical but business will need to ensure they have appropriate, inside EU, GDPR representatives and also make sure that they can demonstrate compliance so that they are able to enter easily into contracts with data controllers and processors inside the EU who will now be under an obligation to verify that they are compliant.

We're Social

David Smith is a Partner located in Londonin our Commercial Litigation department

View other posts by David Smith

Let us contact you


COVID-19 Update - Our website and phone lines are operating as normal and our teams are on hand to deal with all enquiries. Meetings can be conducted via telephone and video conferencing.

View our Privacy Policy

Areas of Interest