Does this section apply to us?

This section applies if:

  • you are a UK-based business or organisation; and
  • the GDPR currently applies to your processing of personal data.

How can we prepare?

When planning for a no-deal exit, you can use our guidance to assess the impact of legal changes in a few key areas:

Will the GDPR still apply?

The GDPR is an EU regulation. This means it became law in all member states of the EU (including the UK), without the need for a UK Act of Parliament. It also applies to the EEA states.

When the UK exits the EU, the EU GDPR will no longer be law in the UK. However, the UK government intends to write the GDPR into UK law, with the necessary changes to tailor its provisions for the UK (the ‘UK GDPR’). It will sit alongside an amended version of the DPA 2018. The government has published a ‘Keeling Schedule’ for the UK GDPR, which shows the planned amendments.

The key principles, rights and obligations will remain the same. However, there are implications for the rules on transfers of personal data between the UK and the EEA.

The UK government intends that the UK GDPR will also apply to controllers and processors based outside the UK if their processing activities relate to:

  • offering goods or services to individuals in the UK; or
  • monitoring the behaviour of individuals taking place in the UK.

There are also implications for UK controllers who have an establishment in the EEA, have customers in the EEA, or monitor individuals in the EEA. The EU GDPR will still apply to this processing, but the way you interact with European data protection authorities will change.

This guidance covers the key new issues you need to consider regarding international data flows and cross-border processing.

Otherwise, you should continue to follow our existing guidance on your general data protection obligations.

Further reading

For more information about how other legislation we regulate is affected by a no-deal Brexit, see Information rights and Brexit – FAQs.