We do not expect much change to data protection obligations following the UK's decision to leave the EU, and businesses should assume that regardless of when we exit or what exit looks like, they will need to comply with the new GDPR. As a reminder, the GDPR is EU-wide legislation proposing large changes to the data privacy regime, to come into force by May 2018. Whilst the GDPR will not directly apply to the United Kingdom when it leaves the EU, we expect that if the UK wishes to continue to trade with the EU's single market, the European Union would require the UK to prove that it provides adequate security of personal data by reference to the GDPR. The ICO made it clear throughout the referendum process that businesses should continue to ensure that their arrangements comply with the GDPR, even in the event of a 'leave' vote. Further communication is awaited from the ICO following the result.

What Should Employers Do Next?

It is too early to predict the form of what the UK's 'adequacy' of security ought to look like, but we will keep you abreast of developments including updates from the ICO.