Brexit: Goodbye EU, welcome GDPR!


At last: On 21 June 2017, Her Majesty, The Queen herself confirmed that, despite Brexit, the UK will implement the GDPR into its legislation. This means that the GDPR (through a separate new act) will replace the current legal framework on data protection as is primarily laid down in the Data Protection Act 1998.

The stated aim of this new GDPR implementing act is to make the UK’s data protection framework “suiteable for our new digital age, allowing citizens to better control their data’’. It’s also clear that the UK wants companies to know that it is a safe choice to process data within the UK borders: “A new law will ensure that the United Kingdom retains its world-class regime protection personal data’’. We believe that the UK government made the right decision here by its commitment to maintain a high legal level of data protection, as described in the GDPR. Also, traditionally, UK and European mainland businesses has been strongly linked to one another. As we all know, doing business in the services industry, without the processing of personal data, is almost impossible. In her speech, the queen noted that ‘’Over 70% of all trade in services are enabled by data flows, meaning that data protection is critical to international trade’’.

Whether you are a data controller or a data processor, you now know for certain that you may continue your GDPR program by making it an integrated part of your businesses in the EU and in the UK.

Consequently, since the UK will be an EU member state on 25 May 2018, it has to comply with the GDPR in all its aspects. However, we also believe some negotiations between the EU and UK have to take place about the legal framework after Brexit. One of the challenges after Brexit is how to ensure enforcement, regulatory consistency (guidelines) and cooperation mechanisms between the ICO (British data protection authority) and other data protection authorities throughout the EU, as is set out in the GDPR.

Post-Brexit, we will be in uncharted waters. As a regulation, the GDPR is a European set of rules that has direct effect in member states: member states do not have to implement it as a national act. This results in a major improvement of the new regime: one regulation should work the same way in all member states. After Brexit, in the UK (or will it be in England, Wales and Northern Ireland?), the GDPR will function as if it were a directive.

This means that the UK could make changes to the GDPR framework for its own jurisdiction at its convenience. We strongly believe the UK would not easily decide to do so, since it has great political and economic interests in staying close to the substantive provisions of the GDPR and being a ‘third country offering an adequate level of data protection’ towards EU-members. Keeping on track with EU data protection legislation would ‘’put the UK in the best position to maintain our ability to share data with other EU member states and internationally after we leave the EU’’, according to the queen.

What to do, what is next?

- As the substantive provisions of the GDPR will also come into force in the UK on 25 May 2018, and is very likely to stay, even after Brexit, your business should focus on implementing the GDPR in all personal data related business processes in EU and UK.

- After the Brexit the EU Commission should label UK as a ‘third country offering an adequate level of data protection’. Based on the UK intentions to implement (most of) the GDPR, we have reason to believe the EU Commission will grant this label to the UK, although we really hope they do not dawdle doing so. Without such an adequacy decision, your personal data transfers to the UK are not by definition unlawful, but it requires additional legal provisions in data processing agreements.

- The EU and UK must negotiate, and inform the public, about the way they intend to solve regulatory issues on the aspects of enforcement, regulatory consistency and cooperation mechanisms. We were particularly happy with the ‘one-stop-shop’ solution under the GDPR. This ensures, inter alia, that you will stay in touch with only one single data protection authority in the EU if there is a suspicion of violation of the GDPR of company entities in multiple member states or in case it concerns personal data of citizens living in various member states. We are curious to see what solution the EU and UK will bring on this point. 

Back to the overview