Skip to content


  • Add this article to your LinkedIn page
  • Add this article to your Twitter feed
  • Add this article to your Facebook page
  • Email this article
  • View or print a PDF of this page
  • Share further
  • Add this article to your Pinterest board
  • Add this article to your Google page
  • Share this article on Reddit
  • Share this article on StumbleUpon
  • Bookmark this page

How would a No-Deal Brexit affect data protection?

The EU and UK negotiators have agreed the technical details of a Brexit deal. Yet, with less than five months until the UK leaves the EU and considering the UK and each EU country needs to sign off on the deal, the likelihood of a No-Deal Brexit is still high. And this has raised questions around the General Data Protection Regulation (GDPR).

Leaving the EU won’t automatically free the UK from its laws thanks to the European Union (Withdrawal) Act 2018, but things will change. So, many of those responsible for data protection compliance in the UK are wondering: What is the impact of Brexit on data protection in the UK?

If we fall into a No-Deal Brexit scenario

A No-Deal Brexit wouldn’t mean organisations in the UK stop needing robust data protection. The Data Protection Act 2018 and EU Withdrawal Act will mean the same standards will be in place, but the UK won’t have an arrangement for data transfers and sharing with the EU. Instead, the UK will become a so-called ‘third country’ and its businesses will need to implement more data protection controls to be able to exchange personal data lawfully with the EU.

Third countries wanting to share data with the EU must fulfil the data safeguard mechanisms under the GDPR or go through a robust process to prove the country’s data protection measures are ‘Adequate’ – in other words, aligned to the GDPR. The European Commission will only start the Adequacy process after Brexit and would consider the strength of the UK’s data protection laws and its Competent Data Protection Authority capabilities. In our experience, the process takes between two and four years to confirm Adequacy status.

With UK data protection laws unlikely to change post-Brexit, the wait for Adequacy is likely to be much shorter than usual. But the route to Adequacy would itself create a level of uncertainty.

Waiting for data protection Adequacy

While waiting for Adequacy status, it will be more difficult for businesses to share data between EU and European Economic Area (EEA) member states and the UK. This is likely to affect most UK businesses as over 75 per cent of international data sharing from the UK goes the EU.

The effects of waiting for Adequacy will impact data sharing beyond Europe too, as counties like Japan and Canada adopt data protection laws that include export controls in line with EU advice. This could stop them sharing data with countries without Adequacy status or protective measures.

What has the UK Government said and done so far?

Amid uncertainties over Brexit, the UK Government recently ratified Convention 108+, an agreement on robust data protection principles and rules signed by 25 other countries (19 from Europe and six from the rest of the world). This convention lets the signatory states share data, providing they implement its principles that are much aligned to GDPR. While this doesn’t remove the Brexit uncertainty, it would lessen the impact of a No-Deal scenario.

The UK Government has also published its No-Deal Brexit advice on Privacy and Data Protection. It encourages companies to rely on established safeguarding mechanisms, such as the Convention 108+, to share data internationally. But until the UK gets Adequacy status, businesses won’t necessarily be able to freely share personal data with all their EU counterparts. So, they should ensure contingency plans are in place.

How can businesses prepare for a No-Deal Brexit?

The good news is, businesses that have already implemented a robust GDPR strategy should feel the impact less. But we’ve found, through our Data Privacy Maturity Assessment, that most businesses are yet to implement a comprehensive data protection programme or privacy strategy.

Whether your GDPR implementation is solid or not, there’s always more you can do to minimise the impact of a No-Deal Brexit on your data transfers, such as:

  • continue improving your data privacy programme
  • understand what data protection measures are available to you and which ones you would need for data privacy maturity
  • map the personal data flows to and from the UK and check whether you use EU-based service providers to process data
  • investigate whether your data goes to countries signed up to Convention 108+ and use it as an exemption

And, more importantly:

  • review which ‘third country’ data transfer safeguard mechanisms you can use for data transfers to the EU, such as Standard Contractual Clauses and Binding Corporate Rules
  • find out what you need to do to continue transferring high risk data (e.g. health data, criminal records, diversity forms), or consider re-directing them to alternative EU group companies with offices in the UK.

Contact the author

Contact the GDPR team


By using this website, you accept the use of cookies. For more information on how to manage cookies, please read our privacy policy.