31/01/2020

Whatever your views on it, Brexit is finally here. Ahead of the UK’s exit from the European Union on 31 January 2020, the Information Commissioner’s Office (ICO) has released a brief statement together with some updated FAQs clarifying how the General Data Protection Regulation (GDPR) will apply to UK businesses following that date.

As the regulatory centrepiece of European and British data protection, the GDPR will continue to apply to applicable businesses and organisations in the UK during the Brexit transition period, which is set to run until 31 December 2020. During that period, the compliance obligations contained in the GDPR, as well as additional provisions in the complimentary Data Protection Act 2018 (UK DPA), will continue to operate as usual.

While the GDPR itself will no longer automatically apply to businesses in the UK after the end of the transition period, much of it is planned to be translated into UK law as a ‘UK GDPR’, meaning that in practice affected companies will need to keep the same compliance processes in place. This localisation has been underway for some time, including the passing of regulations early last year amending the local GDPR regime to work from a ‘UK only’ perspective. And of course, the EU version of the GDPR will continue to apply to UK companies if they operate in Europe, offer goods or services to individuals in Europe, or monitor the behaviour of individuals in Europe.

If you’re an Australian entity subject to the GDPR by virtue of your activities in the UK, Brexit will have little to no practical effect on your compliance requirements, both during and following the transition period. During the transition period, the current GDPR will continue to apply as is. Following the transition period, the UK GDPR will retain the same extraterritorial scope and representative requirements as the EU GDPR, albeit altered in scope to the personal data of individuals located in the UK, and requiring a UK (rather than an EEA) representative. If you’re carrying out applicable activities in both the UK and the EU post-transition, you will be subject to both the UK and EU GDPR. 

Beyond this, certain details regarding the overall approach to data protection within a post-transition UK and as between an independent UK and the EU require finalisation. Regardless, the ICO as a regulatory body shows no signs of retreating from their staunch defence of data protection and privacy rights, and has confirmed that it will continue to act as the lead supervisory authority for businesses and organisations operating in the UK.

You can find the full text of the ICO’s statement together with its updated FAQs here.

For more information on the GDPR, and whether it impacts your business, click here.

Authors: Melissa Fai, Nikhil Shah, Bryce Craig

Expertise Area
""