Brexit means no GDPR

ignorance-582607_1920.jpgApparently, 24% of businesses are not preparing for the General Data Protection Regulation because they believe Brexit means it won’t apply in the UK. I deliberately didn’t post this on April Fool’s Day as it’s too serious.

The survey results are staggering on two fronts. First, these businesses have actually heard of GDPR and have undertaken some kind of evaluation on whether to comply. They’re arguably further ahead than the larger number who are either unaware of GDPR or who have yet to prepare. Second, having grasped that GDPR is a thing, these businesses have fallen at the next hurdle by assuming that Brexit will cancel GDPR. Perhaps they also believe that Brexit means the NHS will get an extra £350m every week?

I’ve previously posted about data myths and have been covering this latest one in my GDPR talks recently. Look, it’s fairly simple:

  • GDPR becomes enforceable in May 2018 and the UK gov previously indicated it will come into force in the UK (see Q72)
  • If the UK gov takes the full 2 years to negotiate, Brexit will occur on 29 March 2019 – that is, after GDPR is enforceable in UK law
  • In its February Brexit whitepaper (PDF) the gov said it would seek to seek to “maintain the stability of data transfer between EU Member States and the UK” as it recognises the stability of data transfer is important for the tech sector (see paras 8.38-8.40)
  • The March Great Repeal Bill whitepaper (PDF) doesn’t mention GDPR or data protection but states that the UK will continue to comply with the European Convention on Human Rights (see paras 2.21-2.25), arguably the foundation of modern data protection laws. Therefore, GDPR will be preserved on Brexit day
  • This means GDPR will come into force in the UK and will stay in force after Brexit

The government might change its mind later and revoke GDPR compliance. But remember, the UK had data protection laws before the EU did. And no data compliance officer I’ve spoken to wants to have a GDPR standard for that part of their business involving EU data transfers and a lower standard for the part with non-EU transfers. They want one standard, so that will have to be the GDPR standard.

So, in summary: GDPR will be enforceable in the UK notwithstanding Brexit.

UPDATE: What effect will the Snooper’s Charter have? As Brexit means the UK will leave the single market, this might take us outside data fortress Europe. This means we will have GDPR-style obligations but the EU Commission will assess our data protection laws as a whole to see if data transfers are ok to continue. If it decides we comply with GDPR then we will be on the safe list, just as Canada, Israel, Switzerland and others are at the moment. But the reason Safe Harbor was annulled and replaced with Privacy Shield was because of the US gov’s broad snooping powers. Arguably, the UK gov has similarly broad powers under the Investigatory Powers Act (aka Snooper’s Charter) so we may need to negotiate our own Privacy Shield. That won’t be straightforward as even Privacy Shield is undergoing a legal challenge. Best dig out those Model Clauses…


  1. Obviously everyone has to comply with GDPR. Larger companies with larger turnover will make for better headlines if they receive fines but they will probably have a compliance person so such fines might be less common. SMEs may not have compliance managers so might be more likely to breach and might be fined more frequently albeit the fines will be lower.


  2. I am trying to work with and evangelise to local small business about this forthcoming legislation in local networking events and at GDPR networking events.

    It pains me to hear the lack of understanding and the comments received back from them and the lack of a desire to even start to look at this ..

    Some common comments

    1. Brexit – it won’t matter … so i retort..

    a) so what about the year from Enforcement day 25th May 2018 to Brexit day March 2019 when we are very much still in the EU / EEA ..
    b) so you know the origin and geographic status of all your Data Subjects and can process or not based on their citizen status that to ensure you are (like to see any company that could accurately do that …) – why differentiate, why restrict your companies sell-able and operable space, treat all the same to simplify !

    2. I am a small company so it does not affect me – … so i retort

    a) yes it does it affects all of us but it is down to the risk level that you as a business are willing to take to
    b) are you willing to face brand reputation and even more worrying a potential class action by your Data Subjects if they are not happy with you?
    c) Yes you may not have a compliance framework mentality but your size and agility will enable you to use GDPR best practises as a differentiation to your competition – a USP.

    3. I can’t afford a compliance department or programme- … so i retort

    a) can you afford not to have one .. based on the above premise?
    b) get a contractor in on a day (s), week, 1 month basis and start talking about it – you may change your mind
    c) use a DPOaaService on a day, weekly or agreed basis

    I could go on but it really is a reality that generally SME’s are actually more of a high risk profile with respect to security and data breaches than their larger counterparts but as you point out, unlikely to be the head above the parapet targets of the ICO and enforcement bodies will go after …. but as the businesses of the future why not get off to good start and have the culture in place from the early days ..


What's your view? Leave a comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.