Brexit and data protection - will firms still have to comply with the new EU GDPR?

Rules around how businesses and organisations can use, collect and store your personal data are currently regulated at an EU-level under the General Data Protection Regulation (GDPR).

GDPR and Brexit
GDPR and Brexit

This was brought into force last year, and along with the Data Protection Act 2018, provides a comprehensive data protection framework.

Regardless of whether we leave the European Union with or without a deal, there would be no immediate change in the UK’s own data protection standards. This is because the Data Protection Act 2018 would remain in place and the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside it.

However, under GDPR rules, organisations are only allowed to transfer personal data outside the EU if there is a legal basis for doing so, meaning that once the UK is out of the union this will become trickier.

GDPR and Brexit

The government has said firms can continue to send personal data from the UK to the EU, but our data protection regulations will have to be assessed before EU countries will be able to transfer personal data to the UK.

It is likely that our regulations will be found to be adequate (after all, we'll still be using GDPR) but discussions won't begin until after we have left the EU and the European Commission has not given a timescale for the issue to be resolved.