News article

Brexit: Data protection and EU exit

4 February 2020

Guidance to help businesses comply with data protection law after the EU exit

The UK has left the European Union on 31 January 2020 and has entered the transition period. During this period, which runs until the end of December 2020, it will be business as usual for data protection.

The EU General Data Protection Regulation (GDPR) will continue to apply until 30 December 2020. If you currently comply with the GDPR, you don't need to take any immediate action. Continue to follow existing guidance and meet the current requirements of the GDPR.

During the transition period, companies and organisations that offer goods or services to people in the EU do not need to appoint a European representative. The UK Information Commissioner's Office (ICO) will continue to act as the lead supervisory authority for businesses and organisations operating in the UK.

Since the GDPR is an EU regulation, in principle, it will no longer apply to the UK from the end of the transition period. However, the government intends to incorporate the GDPR into UK data protection law from the end of the transition period. This means that, in practice, there will be little change to the core data protection principles, rights and obligations found in the GDPR.

If you operate in Europe, offer goods or services to individuals in Europe or monitor the behaviour of individuals in Europe, the EU version of the GDPR may continue to apply to you after the transition period. The GDPR will likewise apply to any organisations in Europe who send data to UK organisations. Transfers of personal data from the EU/EEA to the UK will need to be carried out in line with the rules that safeguard international transfers of personal data.

The ICO has a range of resources to help businesses understand the implications of Brexit for the data protection laws.