GDPR (General Data Protection Regulation) is an EU regulation. This means it became the law in all member states of the EU (including the UK), without the need for a UK Act of Parliament. It also applies to the EEA (European Economic Area) states. When the UK exits the EU, the EU GDPR will no longer be law in the UK.
The UK Government has confirmed its intentions to allow the General Data Protection Regulation to form part of UK law following the country’s withdrawal from the European Union and as a result, the Data Protection Act 2018 will remain in place.
There will be some technical adjustments to the UK version of the GDPR and data transfers from/to EU, but overall most GDPR requirements will remain the same. This means the first and most important step is to ensure compliance with GDPR principles, rights and obligations.
In summary, as a UK organisation, you will need to comply with the UK data protection regime after exit, and the UK Information Commissioner’s Office (“ICO”) will regulate this regime.
If you also have offices, branches or other establishments in the EEA, the EU regime will still apply to your European activities even after the UK leaves the EU. The ICO will no longer regulate the EU regime.
If you are only based in the UK, but you offer goods or services to individuals in the EEA or you monitor the behaviour of individuals located in the EEA, then the EU regime will also apply to your processing of personal data in relation to those activities. You may have to deal with the ICO and with European supervisory authorities in every EEA and EU state where individuals are affected by these activities.
The impact on GDPR, from a UK perspective is very limited; companies will still have to comply, Brexit or not.
If you have any further questions or queries with regards to the above, please do not hesitate to contact us and we will be more than happy to assist you.