Will the GDPR still apply if we leave the EU without a deal?

The GDPR is an EU Regulation and, in principle, it will no longer apply to the UK if we leave the EU without a deal. However, if you operate inside the UK, you will need to comply with UK data protection law. The government intends to incorporate the GDPR into UK data protection law when we exit the EU – so in practice there will be little change to the core data protection principles, rights and obligations found in the GDPR.

The EU version of the GDPR may also still apply directly to you if you operate in Europe, offer goods or services to individuals in Europe, or monitor the behaviour of individuals in Europe.

The GDPR will still apply to any organisations in Europe who send you data, so you may need to help them decide how to transfer personal data to the UK in line with the GDPR.

The ICO will not be the regulator for any European-specific activities caught by the EU version of the GDPR, although we hope to continue working closely with European supervisory authorities.

For more information on how this affects your data protection obligations and what you need to do, read Data Protection if there’s a no-deal Brexit.

What will the UK data protection law be if we leave without a deal?

The Data Protection Act 2018 (DPA 2018), which currently supplements and tailors the GDPR within the UK, will continue to apply.

The provisions of the GDPR will be incorporated directly into UK law if we leave the EU without a deal, to sit alongside the DPA 2018.

New DP exit regulations have been passed which will make technical amendments to the GDPR so that it works in a UK-only context from exit day.

What role will the ICO have?

The ICO will continue to be the independent supervisory body regarding the UK’s data protection legislation.

The UK government will continue to work towards maintaining close working relationships between the ICO and the EU supervisory authorities once the UK has left the EU.

Is the ICO's GDPR guidance still relevant?

Yes. We expect UK data protection law to be aligned with the GDPR, so you should continue to use our existing guidance. Following the approach in our guidance will help you comply now and after we exit the EU (or after the end of any transitional period, if the UK agrees a deal).

We will continue to keep our guidance under review and update it where necessary.

Can we still transfer data to and from Europe if we leave without a deal?

The government has said that transfers of data from the UK to the European Economic Area (EEA) will not be restricted. However, if we leave the EU without a deal, GDPR transfer rules will apply to any data coming from the EEA into the UK. You need to consider what GDPR safeguards you can put in place to ensure that data can continue to flow into the UK.

For more information, read  Data Protection if there’s a no-deal Brexit and our guidance on international transfers.

We have also produced an interactive tool on using standard contractual clauses for transfers into the UK to help you.

What about law enforcement processing?

The data protection regime set out in Part 3 of the DPA 2018 will still apply to competent authorities processing for law enforcement purposes. These rules derive from an EU directive, but are now set out in UK law and will continue to apply after exit day (with some minor technical changes to reflect our status outside the EU).

We expect transfers of data from the UK to the EU and Gibraltar will be able to continue for the time being on the basis of new UK adequacy regulations. For more information on how the transfers rules work, read the international transfers page of our Guide to Law Enforcement processing.

If we leave the EU without a deal, transfers of data from the EU to the UK will be subject to local transfer requirements in the sender’s country. Your European partners may ask you to comply with additional safeguards. We suggest you contact your partners in the EU to discuss what they want to do to ensure that data can continue to flow into the UK.

For more information, read Law enforcement processing - five steps to take and Data Protection if there’s no Brexit deal – law enforcement processing.

Does PECR still apply?

Yes. The current PECR rules cover marketing, cookies and electronic communications. They derive from EU law but are set out in UK law. They will continue to apply after we exit the EU.

The EU is replacing the current e-privacy law with a new e-privacy Regulation (ePR). The new ePR is not yet agreed. It is unlikely to be finalised before the UK exits the EU. This means the ePR will not form part of UK law if we leave without a deal.

You can find more information on current PECR rules in our Guide to PECR.

Does NIS still apply?

Yes. The NIS rules cover network and information systems. They derive from EU law but are set out in UK law. They will continue to apply after we exit the EU. You can find more information in our Guide to NIS.

If you are a UK-based digital service provider offering services in the EU and we leave without a deal, on exit date you may need to appoint a representative in one of the EU member states in which you offer services. You will need to comply with the local NIS rules in that member state. If you also offer services in the UK, you will also need to continue to comply with the UK rules regarding your UK services.

Does eIDAS still apply?

The eIDAS regulation covers electronic ID and trust services. It is an EU regulation and will no longer apply in the UK if we exit the EU without a deal. However, the government intends to incorporate the eIDAS rules into UK law on exit. In practice, if you are a UK trust service provider, you should assume that you will still need to comply with eIDAS rules.

For more information, see our Guide to eIDAS.

If you offer trust services in the EU and we leave without a deal, you may also still need to comply with EU eIDAS law in other member states. The UK will no longer regulate that aspect of your services. But we intend to continue working closely with EU supervisory authorities.

Does FOIA still apply?

Yes. The Freedom of Information Act 2000 forms part of UK law and will continue to apply.

For more information, see our Guide to freedom of information.

Do the EIR still apply?

Yes. The Environmental Information Regulations will continue to apply unless specifically repealed or amended. They derive from EU law, but are set out in UK law. The UK has also independently signed up to the underlying international treaty on access to environmental information (the Aarhus Convention).

For more information, see our Guide to the EIR.

What happens if the UK agrees a deal?

In the event of a deal with the EU, it’s likely there will be a transition period – during which the GDPR will continue to apply in the UK and you won’t need to take any immediate action. At the end of the transition period, the default position would be the same as for a no-deal Brexit, but there may be time for further developments about how we deal with particular issues such as UK-EU transfers.

If a deal is agreed, we will update our guidance with more information about the effect of the deal.

Will you be producing more guidance?

The core data protection principles, obligations and rights will remain the same. So, at this stage, we don’t need to produce an entirely new range of guidance. However, some specific areas – chiefly in cross-border supervision and enforcement, and international transfers – are specifically affected. So we have produced the following new guidance:

We will also keep our Guide to Data Protection – and in particular our guidance on international transfers – under regular review, and update it to reflect the latest developments.

After exit, all our guidance will reflect the UK data protection regime and our position as a nation outside the EU, or the effect of any transitional period if a deal is agreed.

We will also regularly update these FAQs to reflect the queries we receive.

In the meantime, given that we expect UK data protection law to remain aligned with the GDPR, our Guide to Data Protection remains a good source of advice and guidance on how to comply with UK and EU data protection rules both now and after we leave the EU.

What happened to the ‘Leaving the EU – 6 steps to take’ guidance? 

We have refocused our data protection guidance for a no-deal Brexit so that it better addresses the needs of small organisations. We’ve taken many of the key points from the ‘6 steps’ guidance and included them in our new guidance for small organisations. In order to avoid any confusion we have removed the ‘6 steps’ guidance from the ICO website.

For those organisations who have already read and taken action on the basis of the 6 steps guidance, don’t worry – the content is still correct. However, we would also recommend that you regularly check our data protection and Brexit page for updates and new resources.