Cyber Security Year 2020

February Issue

GDPR and Brexit

Even though the UK are to leave the EU, the UK will still need to comply with GDPR

Before GDPR was introduced, if you bought any goods or services online, the organisations you buy from could collect information and personal data ranging from your name, address, date of birth, or workplace, to your relationship status and online viewing habits.

The introduction of GDPR permitted organisations to gain clear consent to collect your data, and it applies to all companies processing the data of people residing within the EU, regardless of the company’s location.

So, if the UK plans to leave on Friday 31 January, the question on everyone’s mind is…”are we required to still be compliant with GDPR?”

As a new transition period starts, this allows Britain time to negotiate a new relationship with the BLOC. This period ideally runs until the end of December 2020. During the transition period the Information Commissioner’s Office (ICO) states that existing rules on GDPR will continue to apply in the UK, it will be “BUSINESS AS USUAL FOR DATA PROTECTION”.


According to The UK was a key player in the creation of GDPR, and has agreed that it will remain included within UK domestic law as part of the European (Withdrawal) Agreement.

Organisations operating inside the UK will need to comply with Britain’s data protection laws, but as GDPR is expected to be incorporated into its existing rules at the end of the transition period the ICO predicts little change to the core principles already in place.

For organisations that operate outside of the UK in any way, such as offering goods or services to people in Europe, or who monitor the behaviour of people in the BLOC, then GDPR still may apply to them. Likewise, any organisations in Europe that send personal data to UK organisations will still be subject to GDPR.

The rules for organisations could change depending on what is agreed upon between the UK and EU during the transition period.

If a data transfer agreement is not formalised by the end of the transition period, then organisations relying on EEA data transfers may have to find alternative transfer mechanisms.

One alternative is the use of standard contractual clauses (SCCs) to include GDPR-style data protections into contractual agreements. These are especially useful for sending data to countries where data protection laws aren’t thought to be adequate enough by the EU to safeguard citizen’s data.


We provide affordable GDPR consultancy and data protection support. We are experienced consultants, offering compliance implementation, IT Business Analytics, an on-hand Data Protection Officer and conduct bespoke training guides and training sessions which we tailor to businesses. We pride ourselves to give our clients guidance and full support as we know data protection can seem complex and time consuming. We will work with you to find the right balance between your business objectives, your legal obligations and IT support.

If you need GDPR support, data protection advice and IT support from an experienced team – E&L Consultancy Group is right for you!

Read more about the ongoing GDPR Enforcements