We bring light to law

The effect of Brexit on the General Data Protection Regulation (GDPR).

Brexit watch

The EU

The GDPR is due to take effect in the UK on 25 May 2018 which means that, assuming the government triggers Article 50 by March 2017 and the exit process takes two years, it will have come into force before we leave the EU in March 2019.

The General Data Protection Regulation (GDPR) is a new EU data protection regime approved by the European Parliament on 14 April 2016 which is due to come into force on 25 May 2018 and replace the existing Data Protection Directive and the Data Protection Act.
The purpose of the GDPR is to provide greater harmonisation by introducing a single legal framework that applies across all EU member states.
It introduces several changes, including increased enforcement powers, making consent to processing data harder to obtain, the “right to be forgotten” and a risk-based approach to compliance. For more details see our briefing note under Data Protection.
Whilst Brexit could result in an automatic disapplication of the GDPR the indications are that it will be subsumed wholesale into our domestic legislation following the Great Appeal Act.
The Data Protection Minister at the Department for Culture Media & Sport has said that “One thing we can say with reasonable confidence is that if any country wishes to share data with EU Member States, or for it to handle EU citizens’ data, they will need to be assessed as providing an adequate level of data protection. This will be a major consideration in the UK’s negotiations going forward”
in other words, changing the GDPR principles in any substantial way is likely to jeopardise the U.K.’s ability to meet the EU adequacy requirements for transferring personal data into the United Kingdom from the EU, which would seriously threaten the UK economy.
Any serious dilution of the GDPR principles is unlikely to be popular because data privacy is an important issue in this country. The new Information Commissioner, Elizabeth Denham, has said she did not think that “Brexit should mean Brexit when it comes to standards of data protection”
it therefore seems safe to assume that GDPR is coming and that Brexit will not affect that.