What does a post-Brexit future mean for data protection?

The fallout of Brexit is still very much a mystery, including the consequences for our data

We may have got Brexit ‘done’ as promised, but the reality of what this means remains to be seen. Leaving the European Union is sure to have consequences for practically every aspect of life in the UK, including data protection.

People are quite rightly asking what the future holds for data protection outside the EU, given that many of our existing regulations were devised in conjunction with the rest of Europe and are enshrined in European law.

As such, the future policy for the digital economy is far from clear, and many organisations are searching for answers.

You don’t need to change your processes immediately

The first question many businesses have is, now that the UK has a withdrawal agreement, what happens next? Over the next few months, there will be a transition period to allow the UK government to negotiate a new relationship with the EU. This was set to last until the end of 2020, but it could end up lasting longer due to the spread of the coronavirus and beyond.

During this period, Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR), meaning you don’t need to take any immediate action. For now, you should carry on following existing data protection guidance.

What happens at the end of the transition period?

Unfortunately, there isn’t a clear-cut answer to this question yet, either. It depends on what happens during the transition period. At present the UK DPA 2018 already includes the requirements of GDPR and sits alongside the EU Act. But there may be revisions to this in the future – particularly in relation to how we deal with moving data between countries.

This could pose challenges for businesses, especially those offering goods and services to, or monitoring the behaviour of, individuals in the European Economic Area (EEA). Organisations that fall into this category should consider appointing an EEA representative following the transition period.

GDPR vs. UK data protection law

In principle, GDPR will no longer apply to the UK following the transition period as it is an EU regulation. However, UK businesses will have to comply with UK protection law.

According to the Information Commissioner’s Office (ICO), the government plans to incorporate the GDPR into UK data protection law following the transition period – known as the UK-GDPR. This means that, in theory, there will be little change for businesses.

However, the difficulties come for businesses operating in the rest of the EU as well as the UK. For them, the EU version of GDPR may also apply directly. The GDPR will also still apply to any European organisations that send data to your business, so you’ll need to help them decide how best to transfer personal data to the UK in line with the GDPR.

The Data Protection Act 2018, which is currently responsible for tailoring the GDPR to the UK, will continue to apply. The provisions of GDPR are planned to be incorporated directly into UK law from the end of the transition period, to work alongside the DPA.

Focus on best practice

So, what can businesses do to prepare for the inevitable changes on the horizon? Seeking advice from experienced GDPR consultants will help you take the necessary steps and feel more in control of your data protection.

It’s important during this time of uncertainty that you, as an organisation, are more certain than ever in the competency of your data protection measures. Best practice data protection on an individual business level has never been more important, so make sure you and your team are aware of what is required.

If an organisation can be confident in the fact that they are doing everything right when it comes to data protection, the regulations will ultimately take care of themselves.

by Ian Armstrong, Senior Information Security Consultant, SRM

Ian Armstrong is a Senior Information Security Consultant with over 22 years’ experience. Having previously led Northern Rock’s IT Security Team, Ian now delivers a range of projects at SRM, including ISO27001, PCI DSS Assessment and Business Continuity Planning/Disaster Recovery. Ian also holds a GDPR Practitioner Certificate


Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/