EU - Stay Calm and Keep Compliant: UK Brexit Data Protection Implications
The UK has voted to leave the European Union in the referendum of 23 June 2016.
Brexit, what now?
While the consequences of this result on the UK's data protection regime will stem largely from how
the UK Government chooses to maintain its relationship with the EU and how the UK legal regime will
be untangled from the EU framework, the take-home message is clear: stay calm and keep
It is likely that Article 50 of the Lisbon Treaty 2009 will be invoked, enabling the UK to withdraw from
the EU. However, this exit process will take an initial two year period (and possibly much longer).
Therefore, for the next two years at least, the UK remains part of the EU and must remain compliant
with data protection and privacy laws.
The 'two' year negotiation period for the Brexit and the two-year transition period for the EU General
Data Protection Regulation ("GDPR") will, to some degree, run at the same time. The GDPR will be
directly applicable in all EU Member States as of May 25, 2018, potentially before the two - three year
period during which the exit will be negotiated.
UK companies will therefore have to prepare for and start to comply with the GDPR notwithstanding
Additionally, even though the UK would be outside the EU (and possibly EEA), UK companies may
still have to comply with the GDPR from 25 May 2018 if they monitor the behaviour of, or offer goods
and services to, citizens in the EU/EEA from the UK (as any other non-EU/EEA company, due to the
extra-territorial scope of the GDPR).
Therefore for as long as Europe continues to be an important trading block for the UK, the EU's data
protection requirements will continue to be of relevance, both economically and politically, to the UK.
Many questions remain, including whether the UK will be granted adequacy status by the European
Commission and the timeframe for that as well as the impact on the UK of the "One-Stop Shop"
concept being introduced by the GDPR. We will continue to track and update on developments as
they unfold. It is clear however that EU data protection requirements will continue to impact UK
businesses and operations, whether directly or indirectly.
Above all else, continued compliance with high standards of data protection law is not only important
for ongoing European trade, but to maintain the consumer and employee trust, which is essential in
the digital age.
To conclude, a quote from Lord O'Donnell, summing up how the UK and the EU must co-exist in the
"Divorce can sometimes be painful, but it does not have to be messy. The secret to breaking up is the
same for states as for people - good planning, good sense and an ability to learn how to live and
trade together in a shrinking world."
For further views and to keep up to date as the situation unfolds you can view our dedicated Brexit
website here and our Brexit blog here.
We have also prepared a Checklist which outlines the core questions for the moment.
For more information, please contact Dyann Heward-Mills.