Do you have to take into account the GDPR after Brexit? Yes, but there will be a difference between a deal scenario and a no-deal scenario. The difference between the two scenarios will be explained below.
Update: the UK left the EU on 31 January 2020. There is now a transitional period until the end of December 2020, but this transitional period is extendable. During the transitional period, nothing will change in terms of data protection and the GDPR will continue to apply. It is so far unclear what will happen after the transitional period.
In case of a deal scenario, the Withdrawal Agreement between the European Economic Area (EEA, meaning the EU Member States plus Liechtenstein, Iceland and Norway) and the UK sets out the conditions of Brexit. It ensures that the withdrawal will be carried out in an orderly manner.
The Withdrawal Agreement will provide for a transitional period during which the UK, which will have become a third country, will continue to respect all EU legislation without being able to participate in the institutions or being involved in decision-making processes. In return, during this transition period the UK will be able to have access to the internal market and the customs union. The transition period was designed to help citizens, companies and administrations to adapt to Brexit.
If the Withdrawal Agreement with a transitional period is adopted, it is likely that the rules applicable to data protection in the UK will remain unchanged until the effective withdrawal date and throughout the transitional period.
In case of a hard Brexit, the UK will leave the EU without an agreement between the EU and the UK, meaning that there will be no transition period during which the UK will have to respect EU legislation. In case of a no-deal scenario, the UK becomes a third party and, consequently, EU legislation will no longer apply in the UK.
The no-deal scenario can be approached from two perspectives, namely from the perspective of an EEA-based company and that of a UK-based company.
It is important to have a look at the following topics to ensure compliance with the GDPR: