The General Data Protection Regulation gets the green light despite Brexit

15th November 2016 Commercial

The Secretary of State for Culture, Media and Sport, Karen Bradley MP, has confirmed that the UK will be implementing the General Data Protection Regulation (GDPR) in May 2018. There had previously been some uncertainty over whether this new legal framework would apply in the UK following Brexit.

The GDPR will replace the existing Data Protection Act 1998 (DPA). While the two pieces of legislation share many similarities, the introduction of the GDPR is necessary to reflect technological changes since the DPA was introduced.

The GDPR will introduce some significant changes to the data protection regime, and UK businesses should start to review whether they are compliant with the new framework. Some examples are set out below:

Scope of data covered

Whilst the GDPR will apply to personal data (such as an individual's name and contact details), the definition has been expanded to include data such as IP addresses. This will therefore offer broader protection to those individuals to whom the personal data relates.

Responsibilities of data processors

Under the DPA, only the data controller (the person or organisation that determines how and why personal data are processed) is directly liable for data protection compliance (with data processors having further obligations imposed contractually by data controllers). However, under the GDPR, data processors (those entities that process data on behalf of other organisations, such as a call centre providing customer services on behalf of a retail chain) will be directly subject to statutory obligations.

Data processors will be required to keep written records of the data processing activities they carry out on behalf of a data controller, and will face stiff penalties for non-compliance. Data controllers will be required by the GDPR to ensure compliance with the regulations by data processors through the inclusion of additional terms in their contractual agreements.


Businesses will need to ensure that an individual has freely consented to the processing of their personal data in cases where consent is the legal basis on which processing takes place. A clear form of affirmative action would be required, such as the individual providing a written statement of consent or ticking an unchecked box. Silence and inactivity will not constitute consent.

Right to erasure

Individuals will have increased rights in certain circumstances both to prevent the processing of their personal data and to have personal data erased (the so-called 'right to be forgotten'). This situation may arise if, for example, an individual withdraws their consent to the processing of their personal data. Unlike the current provisions under the DPA, the right to erasure will not be limited to processing that causes unwarranted and substantial damage or distress. However, individuals will not have an absolute 'right to be forgotten'. For example, businesses will not have to comply with a request for erasure if the personal data is being processed in the exercise or defence of legal claims.

The post-Brexit future

The GDPR will apply to non-EU based organisations that process the data of EU individuals. Compliance with the GDPR is therefore likely to remain a material consideration to various businesses in the UK that operate internationally, regardless of any post-Brexit changes to UK data protection legislation. In any event, the implementation of these enhanced data protection rights is likely to be welcomed by consumers.

For more information on GDPR and a confidential discussion with Richard and the team please do not hesitate to email.

We're Social

Richard Parkinson is a Partner and Head of Commercial located in Manchesterin our Corporate and CommercialSports Law departments

View other posts by Richard Parkinson

Let us contact you

View our Privacy Policy

Areas of Interest