How will data protection rules change after Brexit?


It seems like the UK’s exit from the EU is just around the corner, and there are still so many questions on what will change and how businesses will be affected.

When it comes to data protection laws, there are already some answers which is great news for those eager to start their preparations.

Currently, the rules for the use and collection of personal data are governed by both UK and EU regulations; the Data Protection Act (DPA) 2018 and the General Data Protection Regulation (GDPR) respectively.

Following Brexit there would be no immediate change as the DPA 2018 already incorporates the GDPR into UK law. Having said this, the transfer of personal data from the EU to the UK is not specifically covered. This is because a decision has yet to be made by the EU on the UK’s level of personal data protection. Until this decision has been made, the free flow of personal data will not apply to the UK. The transfer of personal data from the UK to the EU however, remains unrestricted – though this too may come under review by the UK Government.

How should businesses prepare?

Firstly, make sure that your business is already compliant with the GDPR and the DPA, especially if your business holds or processes personal data on EU citizens. By already following the best-practice set out in the GDPR, your business will be in a better position to follow any additional guidance needed following Brexit.

As a decision on the UK’s level of personal data protection has not been made by the European Commission, receiving personal data from organisations or data centres in the EU could be an issue. You should work with these providers so that a legal basis for the transfer is established in order to assist in their compliance with GDPR. In most cases, the most relevant legal basis would be that the transfer is contractual but in certain circumstances, these providers could rely on a derogation to transfer the data. It is definitely advisable to do thorough research into this area and consult the advice on the Information Commissioner’s website as there is a commitment from the ICO to produce guidance on how businesses can fulfil their data protection obligations.

Read more about this issue in the Government’s “Data protection if there’s no Brexit deal” guide.

If you would like to know more about complying with GDPR or would like to receive details of any other services we offer, please call 0333 344 3646 or email [email protected].

Sign up to get the latest in your inbox

    • Email address

About the author

  • Name:

    Michelle-Louise Janion

  • Company:

    Marketing Executive

  • Bio:

    Michelle worked for Citation ISO Certification from 2017 to 2019, producing engaging content around ISO Standards and other compliance related topics.


QMS International use cookies to provide you with a better site experience, enable features and to help us understand how our website is being used.

By continuing, you consent to the use of cookies in accordance with our Cookie Policy

Allow All Cookies

Allow Strictly Necessary Cookies Only