Brexit and GDPR: what businesses should be doing to prepare for a ‘no deal’ scenario

(Image credit: Image Credit: TheDigitalArtist / Pixabay)

The increasingly real prospect of a ‘no-deal’ Brexit has serious implications for businesses across the UK. One very real concern is what impact a ‘no deal’ scenario would mean in terms of the European Union’s (EU) General Data Protection Regulation (GDPR). 

Having expended serious time and effort on becoming GDPR compliant, UK companies are justifiably concerned about what they’ll need to do in the event of a ‘no deal’ Brexit.

After all, GDPR isn’t a law in and of itself. If it were, the UK could simply leave the EU and cease to be subject to it. Instead, it’s a European directive that requires member states to draft laws ensuring that their citizens abide by the regulations. 

The UK has already done that, having signed the Data Protection Act into law in 2018. Should the country leave the EU without a deal, however, the picture changes dramatically. 

No-deal scenario

In such a scenario, the UK would become a “third party” country, meaning that data cannot be shared between it and other countries in the European Economic Area (EEA) unless it is deemed to have “adequate” data protection laws in place.  

In theory, the Data Protection Act, which is in line with GDPR, should mean that the UK remains safe in the immediate aftermath of Brexit. And if it continues to follow the EU’s lead when it comes to data protection, then there’s no reason why that should change.  

As is the case with so much around Brexit, however, this can’t be taken for granted. Things can, and do, change quickly.  

Even if the UK remains compliant with EU data directives, businesses will have to take certain steps to ensure that they can keep operating on the continent.  

As solicitors Irwin Mitchell point out, these include:  

“Data transfers: If you transfer data to and from the EU, you may need to re-legitimise this by putting in place standard contractual clauses.

Binding corporate rules: If you rely on BCRs blessed in the UK by the ICO, these may no longer be valid for the EU and you may need to have them blessed by a data protection authority of a remaining Member State.

EU representative: UK businesses that have operations processing personal data in the EU after Brexit may need to appoint a representative in the EU that will need to register with a data protection authority in one of the remaining member states.

‘One stop shop: UK companies lose the benefit of the “one stop shop”/“lead supervisory authority” regime in GDPR. Consider whether you will be required to deal with multiple regulators simultaneously in the event of an issue affecting people in more than one country.”

Preparing for a no-deal Brexit

While this worst-case scenario may seem difficult to contemplate, organisations shouldn’t adopt a “wait and see” approach when it comes to Brexit. 

Instead, they should be hoping for the best and preparing for the worst. In addition to ensuring that they can take the above steps in the event of a no-deal Brexit, UK organisations will need to be doubly certain that they are GDPR compliant. 

Ultimately, if UK organisations want to continue trading in Europe with as little disruption as possible, they’ll have to demonstrate that they have the requisite measures in place to protect customer data. 

The last thing any UK organisation should do is think that Brexit gives it a “get out of jail free” card when it comes to GDPR. That way lies certain trouble. 

Michael Wright, CEO of Striata

  • We've also highlighted the best antivirus to help keep your systems secure
Michael Wright
Michael is the founder and CEO of Striata. A Chartered Accountant by profession, he started his career at PwC where he was responsible for Internet Strategy & Services and Business Information Services. The technology bug having firmly bit, he moved to VWV Interactive as Managing Director before establishing Striata in 1999.
Latest in Security
Data leak
Top home hardware firm data leak could see millions of customers affected
Representational image depecting cybersecurity protection
Third-party security issues could be the biggest threat facing your business
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Android Logo
Devious new Android malware uses a Microsoft tool to avoid being spotted
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
Latest in News
Nintendo Music teaser art
Nintendo Music expands its library with songs from Kirby and the Forgotten Land and Tetris
An image of Pro-Ject's Flatten it closed and opened
Pro-Ject’s new vinyl flattener will fix any warped LPs you inadvertently buy on Record Store Day
The iPhone 16 Pro on a grey background
iPhone 17 Pro tipped to get 8K video recording – but I want these 3 video features instead
EA Sports F1 25 promotional image featuring drivers Oscar Piastri, Carlos Sainz and Oliver Bearman.
F1 25 has been officially announced, with this year's entry marking a return for Braking Point and a 'significant overhaul' for My Team mode
Garmin clippd integration
Garmin's golf watches just got a big software integration upgrade to help you improve your game
Robert Downey Jr reveals himself as Doctor Doom to a delighted crowd at San Diego Comic-Con 2024
Marvel has revealed the full, 27-strong cast for Avengers: Doomsday, and there are plenty of heroes who seemingly won't be part of its roster