GDPR after BREXIT: What happens now that the UK has left the European Union?

by Aisling Moriarty February 06, 2020
GDPR after BREXIT: What happens now that the UK has left the European Union?

January 31st marked the official departure of the UK from the European Union.  After years of arguing the terms of the departure, a general outline of the terms has been agreed. However, after all of this, people are still confused as to what that means for all the EU regulations, trade agreements and whether or not the UK will have to follow them.

What happens now that the UK has left the European Union?

Under the agreement formed between both parties, there is a transition period until the 31st December 2020, during which the UK will have to abide by all EU laws and regulations. After this period the UK will technically not be obliged to adhere to these laws and regulations, however if they wish to continue trading and carry out any activities in the EU, agreements will have to be made.

This ambiguity has left companies and the general population confused on what will happen with GDPR after Brexit. Not only this but there are more than 700 other treaties to be negotiated before the end of the transition period. Every basic transaction will not only require UK-EU approval but also a deal-by-deal authorization of any and every third party country involved. This is quite an ambitious timeline, but the UK Prime Minister Boris Johnson is determined to reach it.

Will the UK subject to the GDPR after Brexit?

The short answer is yes. For the transition period until December 2020, the UK will have to fully abide by GDPR. However, after that it gets more complicated. There is an official agreement between the two parties, with the UK stating GDPR will be absorbed by their national legislation.

Once the UK leave the European Union, they will be granted the status of ‘third country’, a classification which demands that countries maintain laws of data that provide protections equivalent to those found in the European Union, ensuring that the data belonging to citizens within European Union are protected if they are transferred to a country outside of their jurisdiction.

Despite this agreement, Mr. Johnson has begun to undermine the UK’s position on complying with the EU.  In spite of the EU affirming that the UK must “fully respect EU data protection rules.”  Mr. Johnson said on Monday, ( 3 February) that the UK will seek to diverge from the EU data protection rules and will “develop separate and independent policies” in not only data protection, but in a range of fields. Mr. Johnson said that the UK will “restore full sovereign controls over our borders, immigration, competition, subsidy rules, procurement, data protection.”  

Will a UK data protection act be an equivalent of GDPR?

This is probably what is worrying people most. Mr. Johnson has reassured that the government would seek to maintain high standards in doing this, but this is causing some tension and worry. The UK has previously had some controversial mass surveillance programs which the European Court of Human rights found that the UK has breached human rights protections.

On the other hand, it is doubtful that the UK will stray far from GDPR guidelines, as the EU is such an important partner for the UK. What’s more, the UK was one of the leading countries in the creation of GDPR. It is most likely that Mr. Johnson is trying to assert his and the UK’s power and independence over the EU.

What should UK companies do in terms of complying with GDPR?

Although we won’t fully know what to expect from UK data protection until January 2021, companies should keep full compliance with GDPR as the most likely scenario is that the UKs data protection laws will be somewhat similar.

Regardless of the national legislation of the United Kingdom, UK companies that have deals with European residents must adhere to GDPR, and many have been forced to review their practices, regardless of the Brexit. In addition, companies may be required to get in touch with a data protection authority of the European Union in the event of an incident of personal data.

Given that the UK is now outside the European Union, therefore, beyond the scope of the Court of Justice of the European Union, data regulation will fall to a large extent on the Information Commissioner’s Office (UK), unless the case concerned with residents of the European Union.

What other regulations of data will be affected?


The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act and the GDPR.  PECR covers marketing, cookies and electronic communications, are established within the legal framework of the UK, so they will continue to apply to the UK

The European Union will update PECR in the near future, these updates will not apply to the UK. There are currently no indications that UK laws are to be updated to align with PECR.

The NIS Directive

The Network and Information Security directive (NIS) is also derived from the European Union, but is established in the laws of the United Kingdom. Therefore, the current laws will continue after the Brexit.


The Electronic Identification, Authentication and Trust Service, another EU law, is not in UK law, however, the UK government has said that it will implement the rules eIDAS.

Alonside the NIS directive, companies must also comply with eIDAS in EU member States.

Share it!