GDPR and BREXIT - Your Options

As you know by now, the United Kingdom is leaving the European Union.

There are two-ways the UK will leave the EU on the 29th of March 2019.

Without a Deal

If the UK leaves the EU without a deal, it will mean that Instantly EU Law will cease and UK law resume in all parts of the UK.  From a GDPR perspective, all UK businesses will immediately be outside the EU and need to comply with GDPR rules, as a NON-EU Country.

With a Deal

Although it is not clear what the final deal may be, with only a few months before BREXIT Day, the basic idea is that businesses will have a "Business-As-Usual" status that is there will be a transition from EU Law to UK Law that commences 29th of March until 31st of December 2020. As a general rule, EU Law will apply in the UK during this transition period, although there are some exceptions.

UK Data Protection Act

On 23rd of May 2018, the UK Data Protection Act cam into force and replaced the Data Protection Act 1998. It is very much a parallel with the EU (2016/679) General Data Protection Regulation.

Once the Transition period is complete, the UK will be able to negotiation its own adequacy agreements to support the free flow of personal data into and out of the UK. Ideally this should allow those binding-rules already authorized by the ICO to remain in force.

Post Transition

After the end of the transition period or if any adequacy decision is revoked, the UK will is free to protect only the personal data of UK Citizens. The UK agrees, however, to ensure the data of non-UK citizens will continue to be protected in accordance with the GDPR, providing the data was processed prior to the end of the transition period.

During the transition period the other EU Member nations shall continue to treat UK personal data as if the UK is still a member of the EU.

At this time there is no decision on the Adequacy applicable to the UK with regard to the other member states of the EU. It is therefore, not certain if the UK will be considered safe or not, post transition. Regardless, preparing quality agreements with all suppliers and processors (and providing the information to your data subjects as described in Article 13 of the GDPR) will ensure that you are covered, regardless of locations.


There is some uncertainty about what is going to happen, which doesn't really help business ensure its compliance. Suffice to say, with proper agreements (prepared and executed now), and execution in accordance with both the UK Data Protection Act and the GDPR together with good Information Security will ensure compliance at just about every level, regardless of the government law makers.

The Global Data Protection Management System (GDPMS) - GRC will be updated regularly and as required to ensure compliance as and when the information comes to hand and as required to meet these dynamic changes to legislation.


Popular posts from this blog

Scholarship in Information Security Compliance & Law - Now Open for July 2019

We Will Pay For Your Study And Certification In Information Security Compliance & Law