What effect will Brexit have on the application of the General Data Protection Regulation to the UK?

It is not yet known how the UK's data protection regime will operate after the UK exits the EU. However, employers would be well advised to prepare to comply with the requirements under the General Data Protection Regulation (2016/679 EU) (GDPR) for a number of reasons.

The Government has confirmed that the UK will implement the GDPR when it comes into effect on 25 May 2018, as the UK will still be a member of the EU at that time.

Even after the UK exits from the EU, the GDPR will continue to apply directly to:

  • organisations established in the EU (for example international organisations with an EU presence); and
  • organisations established outside of the EU, but that process personal data of individuals in the EU in relation to offering goods or services, or monitoring the behaviour of individuals in the EU.

It is also likely that after the UK leaves the EU, the UK will seek to maintain an adequate level of protection for personal data to enable personal data transfers between European Economic Area countries and the UK. This would involve either continuing to apply the GDPR, or implementing data protection legislation with an equivalent level of protection to that of the GDPR.