The UK Data Protection Act 1998 implements the EU Data Protection Directive. Whilst, in the event of an exit from the EU, it is likely that the Government would choose to keep the Act in force at least for the time being, data protection and security is currently an area of great interest and concern for policy makers, legislators and businesses alike and could therefore be a target for amendment going forward.

The current Act has come under criticism for being out of date and out of touch with modern technologies and ways of communicating and sharing data in the cyber world, given the increasing globalisation of data and business operations. In Europe, there are already proposals afoot for a significant overhaul of the data protection regime by way of a new Data Protection Regulation which would be directly applicable in all Member States. A lot of the detail of these proposals has been criticised by both the UK Government and the Information Commissioner (the UK data protection regulator) and so it seems unlikely that any future amendment of the UK Act would be in line with these EU proposals if the UK was no longer required to conform to EU law. On the one hand, this could benefit UK organisations if the Government implemented a more business-friendly approach to data protection. However, for organisations doing business in the UK, across Europe and internationally, it would lead to additional regulatory complexity for data protection compliance.

This could also present uncertainty for those European and international businesses, when looking to implement legally compliant and harmonized processes, policies and systems across the different European countries in which they operate.