Teal blue graphic

Brexit - the impact on data protection laws

Following the Brexit vote this morning many things remain uncertain‎, not least the basis upon which any trade agreement between the UK and the EU will impact on requirements to comply with European legislation. 

From a data protection perspective, however, some things are certain:

  • Multi-national organisations with operations both in the UK and the EU will need to comply with GDPR in relation to their EU customers and employees. 
  • UK organisations that offer goods or services into the EU or carry out monitoring of EU citizens will continue to fall within the remit of GDPR. 
  • The UK's Information Commissioner has indicated that the regulator supports strengthened data protection laws in the UK, stating in April: "The UK has a history of providing legal protection to consumers around their personal data. Our data protection laws precede EU legislation by more than a decade, and go beyond the current requirements set out by the EU, for instance with the power given to the ICO to issue fines. Having clear laws with safeguards in place is more important than ever, given the growing digital economy, and is also central to the sharing of data that international trade relies on."

So what is this likely to mean in practice?

At this stage we cannot predict with any certainty the approach that the UK Government will take to Brexit and national legislation that to date has been based on European requirements.

If the UK seeks to join the European Free Trade Association, many central requirements of EU law would continue to apply, including GDPR.

If the UK does not go down this route, the UK Government will be free to adopt its own data protection laws. In these circumstances the European Commission would have to determine whether UK laws offer adequate protection for EU citizens.

If not, the processing of EU personal data within the UK will be restricted, with a dual regime likely to apply whereby UK personal data will be subject to UK laws and EU data will be subject to model clause requirements or some form of UK Privacy Shield type arrangement.

It is our view that any UK data protection laws are likely to closely mirror many major aspects of GDPR.

What should you be doing now?

For multi-national organisations, and those offering goods or services to EU citizens, GDPR implementation plans will need to continue. If your organisation is head-quartered in the UK, and expected to be regulated by the Information Commissioner, you will now need to consider which EU supervisory authority will be your lead authority.

For all organisations it will be important to establish data flows between the UK and the EU, as new procedures may have to be adopted in relation to those data arrangements.

Brexit does not spell the end of data protection regulation in the UK‎, therefore ongoing audits and data mapping reviews should continue to enable compliance with the new regime no matter what form that may take.

We will continue to provide briefings on these issues as soon as further information becomes available. If you would like to discuss the implications of Brexit for your organisation, please contact our Data Protection & Privacy team.


This publication is intended for general guidance and represents our understanding of the relevant law and practice as at June 2016. Specific advice should be sought for specific cases. For more information see our terms & conditions 


Insights & events View all