Does Brexit Impact Data Protection for Business?

February 2, 2021

Changes post brexit data protection

Brexit might not impact data protection for businesses immediately.

Here are some facts:

  • The UK was heavily involved in formulating the GDPR.
  • The UK has received an additional transition period for data protection.
  • The GRDP regulations will remain in place for businesses transacting with the EU.


The General Data Protection Regulation (GDPR) was enforced in May 2018. Its purpose is to strengthen the data protection rights of all individuals whose personal data falls within its scope of application. It also placed new requirements on businesses and any other entities that deal with personal data.

With all the changes taking place after the UK’s official exit from the European Union, you, like many others, may be concerned about whether the GDPR will change for UK business.

GDPR After Brexit: Are There Any Changes?

During the transition period, the UK’s ICO stated that the GDPR rules continue to apply in the UK as usual.

  • An additional four-month transition period, beginning 1st January 2021, was awarded to the UK, specifically for data protection. The period also has a two-month extension, provided that neither the EU nor the UK disputes the extension.
  • The validity of the extension depends on the UK not making any amendments to its current data protection legal framework.
  • The UK will not be considered a third country in terms of data protection before this period elapses.

According to the 2019 EU withdrawal act, the GDPR was geared to remain included as part of UK law because the UK was heavily involved in drafting it. However, since the 2019 withdrawal act was repealed, the UK will continue to uphold the GDRP data protections through the UK Data Protection Act 2018, which was modeled for this purpose.

In case the UK and the EU do not reach a consensus regarding data protection during the extended transition period, the transfer of personal and business data from the UK to EEA states and vice versa will have to rely on exceptions and safeguards such as SCCs.

Additionally, it is essential to note that GDPR applies to three main scenarios.

  1. Where the EU is the base of operations
  2. Where an entity may not be established in the EU, but it offers services or goods to it, either free or charged or the people within it
  3. Where an entity monitors the behavior of the people in the EU even if it is established in the EU

This means that even after the full implementation of Brexit, UK based businesses will have to continue applying GDPR standards to clients based in the EU. Moreover, businesses transferring data between the UK and the EU will have to comply with the transfer rules applying to both zones.

If your business transfers data between the EU and UK, there are some steps that you may take to prepare for the full effect of Brexit.

  1. Identify the data transfer rules applying to both zones and adapt accordingly. Here, you may prioritize the transfer of special category data and large volumes of data that are critical to your business.
  2. Have additional safeguards such as SCC’s in place.
  3. Verify whether you are an EU or UK representative to understand which set of rules applies to your business.

    Brexit is set to affect many sectors in the UK significantly. However, both the UK and the EU are continuously taking measures to ensure that businesses’ data protection rights continue to take effect. Therefore it is still vital to ensure data destruction is carried out in the right way.