GDPR after Brexit: what the UK leaving the EU means for data protection regulations Even though the UK is planning to leave the EU, the UK will still need to comply with GDPR

On 25 May 2018, the General Data Protection Regulation (GDPR) was introduced to give EU citizens more control over their personal data and how it’s used.

Before GDPR, if you bought any goods or services online, the organisations you buy from could have collected information and personal data ranging from your name, address, date of birth, or workplace, to your relationship status and online viewing habits.

The introduction of GDPR meant organisations had to gain clear consent to collect your data, and it applies to all companies processing the data of people residing within the EU, regardless of the company’s location.

The i politics newsletter cut through the noise Email address is invalid Email address is invalid Thank you for subscribing! Sorry, there was a problem with your subscription.

Yet with the UK leaving the European Union on Friday 31 January, will it still be compliant with GDPR?

Here’s everything you need to know:

How will data protection be affected after Brexit?

Once the UK leaves the EU, a new transition period starts, allowing Britain time to negotiate a new relationship with the bloc. This period runs until the end of December 2020.

During the transition period the Information Commissioner’s Office states that existing rules on GDPR will continue to apply in the UK, and says it will be “business as usual for data protection”.

What happens after the transition period?

The UK was a key player in the creation of GDPR, and has agreed that it will remain included within UK domestic law as part of the European (Withdrawal) Agreement.

Organisations operating inside the UK will need to comply with Britain’s data protection laws, but as GDPR is expected to be incorporated into its existing rules at the end of the transition period the ICO predicts little change to the core principles already in place.

For organisations that operate outside of the UK in any way, such as offering goods or services to people in Europe, or who monitor the behaviour of people in the bloc, then GDPR still may apply to them. Likewise any organisations in Europe that send personal data to UK organisations will still be subject to GDPR.

The rules organisations could change depending on what is agreed upon between the UK and EU during the transition period.

If negotiations have not been finalised by the end of 2020, then previous government guidance said it would allow data to move from the UK to countries in the European Economic Area (EEA), but it has no control over the flow of data in the opposite direction. The ICO reccommends organisations consider what safeguards can be put into place to ensure data can still flow into the EU.

If a data transfer agreement is not formalised by the end of the transition period then organisations relying on EEA data transfers may have to find alternative transfer mechanisms.

One alternative is the use of standard contractual clauses (SCCs) to include GDPR-style data protections into contractual agreements. These are especially useful for sending data to countries where data protection laws aren’t thought to be adequate enough by the EU to safeguard citizen’s data.