How to Stay Compliant with the GDPR After Brexit

GDPR Brexit No Deal

With Brexit-no-deal staring us in the face, the big question for the future is what happens next?

The UK Government has stated its’ plans to keep the GDPR regulation “as-is” after it has left the Union; therefore companies are advised to maintain compliance with both the GDPR and the UK DPA 2018 even if they aren’t processing EU citizen data after the transition phase.

What happens once the UK leaves the EU?

Under the agreement, there will be a transition period that will run till the 31st of December 2020.

During that transition period, the requirements around the current General Data Protection Regulation and the UK Data Protection Act 2018 (DPA) and the need to comply with them both remain unchanged.

What happens after the transition phase?

The UK and EU have stated that they are “committed to ensuring a high level of personal data protection to facilitate such flows between them” hope to have made agreements by the end of the transition period.

During this transition period, the UK government and the EU will ideally negotiate for a data protection arrangement that suits both parties, whether that’s an adequacy decision, a Privacy-Shield type agreement, or another agreement that allows data to move freely between the UK and EU.

An adequacy decision is likely the most desired and possible outcome, but it is not guaranteed and may take many months or even years to happen. For example, the EU and Japan adequacy agreement took two years to become final.

After that transition phase, if no arrangements, deals or trade agreements are made between the UK and EU, the UK will leave under a “no-deal” scenario and become a “third country”.

As reported by CSO previously; in such a scenario, UK organisations and organisations with UK operations that receive personal data from the EU will need to ensure they have additional legal controls, such as standard contractual clauses or binding corporate rules in place to ensure compliance with the GDPR. Countries outside the EU will still be subject to GDPR and fines from the EU if they handle Personally identifiable information (PII) of EU citizens.


A statutory instrument – the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 – has been issued by the UK Government. It amends the DPA 2018 and merges it with the requirements of the EU GDPR to form a data protection regime. This is meant to work in a UK context after Brexit.

The UK GDPR will apply after the 31st December 2020

Under Article 37 of the EU GDPR, Most organisations that provide goods or services to, or monitor the behaviour of, EU residents would have to have an EU representative appointed.

How can your organisation prepare now?

As an organisation based in the UK which either offers goods or services to individuals in the EEA; or monitors the behaviour of individuals in the EEA, and do NOT have an established office or branch in any other EU or EEA state; you will still need to comply with EU GDPR regarding this processing post-Brexit.

If your organisation does carry out such processing and intends to continue after the transition period; you will need to consider the appointment of a European Representative in one of the EU/EEA states where some of the individuals whose personal data you are processing this way is located.

  1. You will need to authorise the representative in writing (setting out the terms of your relationship with them) to act on your behalf regarding your EU GDPR compliance, dealing with supervisory bodies and data subjects in your stead
  2. Your representative may be an individual, a company or organisation established in the EEA and able to represent you regarding your obligations under EU GDPR (a law firm, consultancy, or private company)
  3. Information about your representative should be provided to data subjects (e.g. In your privacy notice) and it should be made easily accessible to supervisory authorities.

Exempt from these are public authorities and if the processing is occasional, of low risk and not involving large-scale use of special category or criminal offence data.

Need help with compliance?

Risk Crew’s GDPR and DPA expert consultants can help you prepare now to ensure your organisation is taking all the right steps to comply with EU regulations and protect against potential fines. Request more information or a quote today.

Risk Crew