The GDPR will enter into force as from 25 May 2018. As Brexit will in principle only take place on 30 March 2019, this means that on 25 May 2018, the UK will still be a EU Member State and that the GDPR will thus have direct effect on the UK.

Since its decision to withdraw from the EU, the UK has transparently shared its intent to adopt a regime which will be considered by the EC and the EU Court of Justice as providing an “adequate” level of protection in order to allow UK businesses to continue sharing personal data with the EU and the EEA countries. On 13 September 2017, the UK government made an important step forward in this direction by introducing a draft Data Protection Bill (the Bill).

Until the UK leaves the EU, the Bill (once final and granted royal assent) will therefore apply in parallel to the GDPR and should be read alongside the GDPR. After Brexit, the GDPR will be incorporated into UK’s domestic law via the EU (Withdrawal) Bill.