If your organisation operates in the EEA, you will need to comply with both UK and EU data protection regulations after Brexit. You may also need to appoint a representative in the EEA.

  • Your best preparation for data protection after Brexit is to comply with the GDPR now.
  • The UK is committed to maintaining the high standards of the GDPR and the government plans to incorporate it into UK law alongside the Data Protection Act 2018 after Brexit.
  • You will need to comply with the UK data protection regime for your activities in the UK.
  • If you have offices, branches or other establishments in the EEA, your European activities will be covered by EU law, even after Brexit. You can check which European data protection regulator will be your ‘lead supervisory authority’.
  • If you are only based in the UK but you offer goods or services to individuals in the EEA, or monitor the behaviour of individuals in the EEA, you will still need to comply with the EU data protection regime in relation to these activities. In most cases you will also need to appoint a suitable representative in the EEA. This person will act as your local representative with individuals and data protection authorities in the EEA. You need to find a provider in the EEA who offers services as a GDPR representative. If you have a data protection officer (DPO), this cannot be the same person or one of your processors. Read more in our guidance to European representatives.
  • Make sure you review your privacy information and documentation to identify any minor changes that need to be made after Brexit.
  • Keep up to date with the latest information and guidance.