Knowledge Hub
for Growth

GDPR and Brexit: what does it mean for your business?

The UK’s transition period for exiting the EU is coming to an end. At the same time we are receiving more and more enquiries from clients concerned about what Brexit will mean for them in terms of GDPR compliance and their internal data protection policies. Here we consider some of the things you need to bear in mind to ensure you comply with GDPR rules after Brexit.

The background to GDPR

The need to protect personal data in our data driven society resulted in a huge effort in Brussels, London and elsewhere to upgrade data protection rules. The result was GDPR to which the UK signed up as an EU member. In the context of Brexit it’s worth remembering that personal data is constantly crossing territorial boundaries in complex technological ways. The need for this data flow won’t diminish after Brexit so organisations in the UK need to ensure that they comply with the rules. The main issue for our clients is that, with the UK’s legal relationship with the EU in a state of flux, there is a good deal of uncertainty about what data protection compliance will look like after Brexit.

GDPR is an EU law. Will it apply after Brexit?

Technically GDPR won’t apply in the UK when the transition period ends. But UK businesses will still have to comply with UK data protection law as the government has indicated that it intends to incorporate all the terms of GDPR into UK law. The new law is likely to be referred to as UK GDPR. In practice therefore the processes you have put in place for GDPR compliance will remain relevant and essential. In addition, if you are doing business in Europe involving the use of personal data you will have to adhere to all the EU rules on data protection – including GDPR. This may make it necessary for you to appoint an EU representative for GDPR.

Read our article on why appointing an EU representative may be required for your business and insight from data protection specialist, David Sant.

Does data protection law apply to my business?

If you control or process personal data then you are subject to the rules. In fact, there are few businesses in the UK that operate without processing or controlling personal data – even if the only personal data in a business is used to pay staff. Many businesses are much more reliant on personal data than that. And many of them are reliant upon accessing or processing data across the EU. This may simply be because a business supplies into the EU (or takes supplies from the EU) but might also be for more technical reasons: for example, the definition of ‘processing’ (which is a key term in data law) extends to ‘storage’. The effect of this is that if you store your personal data on a server in the Republic of Ireland, then you are processing personal data there.

The statistics indicate that three-quarters of the UK’s cross-border data flows are with EU countries: a great deal of personal data is being shared across the EU.

Could I lose access to personal data when Brexit takes place?

The government has stressed that it wants to maintain the unhindered flow of data between the UK and the EU after Brexit. But as we explain below achieving this aim may not be entirely straightforward.

Why might the flow of personal data be interrupted?

Under the EU’s data protection framework, any country other than those in the EU and the European Economic Area (the EEA) is classed as a ‘third country’. On leaving the EU, the UK will be a third country. EU requirements mean that personal data can only be transferred to the UK from the EU when an adequate level of protection is guaranteed.

The EU and ‘adequacy decisions’

The obvious solution here would be for the Government to obtain an ‘adequacy decision’ from the European Commission, certifying that the UK’s data protection regime is sufficiently robust to enable the continued uninterrupted flow of data between the EU and the UK .

However, an adequacy decision is a formal, legislative decision of the EU and it takes time. To date the EU Commission has not made an adequacy decision. Some have suggested that the government’s expressed intention to exclude the Charter of Fundamental Rights from EU retained law after Brexit will make it harder for the EU Commission to confirm that the UK’s data protection systems are adequate. That’s because the EU views the Charter as integral to the protection of personal data.

Added to this, the Court of Justice of the European Union’s recent decision in a case known as Schrems II raises a further question mark over data flow between the UK and the EU post-Brexit. Schrems II concerned data flow between the EU and the US. But the court’s focus on US government surveillance powers as a key reason to find the existing ‘privacy shield’ inadequate (the privacy shield enabled the flow of data between the US and the EU) could have repercussions when it comes to deciding on the adequacy of UK data protection. The UK’s Investigatory Powers Act 2016, for example, allows the UK government to access personal data in certain circumstances that are similar to the US authorities highlighted in Schrems II.

So, what should my business do about data protection after Brexit?

The way the flow of data between the UK and the EU is regulated after Brexit will depend largely on whether or not the EU agrees that the UK offers individuals adequate data protection. It may well be that an adequacy decision will not be forthcoming. In such a scenario, UK businesses will have to find other ways to legitimately transfer data to the EU.

For the moment however, and until an adequacy decision is reached the ICO has made clear that until most of the data protection rules affecting small to medium-sized businesses and organisations will stay the same. If the sharing of personal data across the EU is a key aspect of your business, then you should keep a close eye on what the government is proposing in relation to this issue so that you can take it into account in setting your medium and long-term strategies. In the meantime, if you would like any support or advice regarding your data protection processes or policies and how these could adapt, our expert data protection solicitors can provide the help you need.

What next?

Please leave us your details and we’ll contact you to discuss your situation and legal requirements. There’s no charge for your initial consultation, and no-obligation to instruct us. We aim to respond to all messages received within 24 hours.

Your data will only be used by Harper James Solicitors. We will never sell your data and promise to keep it secure. You can find further information in our Privacy Policy.

Our offices

A national law firm

A national law firm

Our commercial lawyers are based in or close to major cities across the UK, providing expert legal advice to clients both locally and nationally.

We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.

Head Office

Floor 5, Cavendish House, 39-41 Waterloo Street, Birmingham, B2 5PP
Regional Spaces

Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, CB25 9QE
13th Floor, Piccadilly Plaza, Manchester, M1 4BT
10 Fitzroy Square, London, W1T 5HP
Harwell Innovation Centre, 173 Curie Avenue, Harwell, Oxfordshire, OX11 0QG
1st Floor, Dearing House, 1 Young St, Sheffield, S1 4UP
White Building Studios, 1-4 Cumberland Place, Southampton, SO15 2NP
A national law firm

Like what you’re reading?

Get new articles delivered to your inbox

Join 8,153 entrepreneurs reading our latest news, guides and insights.


To access legal support from just £145 per hour arrange your no-obligation initial consultation to discuss your business requirements.

Make an enquiry