GDPR: What still applies post-Brexit?

As GDPR is an EU regulation it technically doesn’t apply to the UK anymore. We say “technically” because UK companies must still follow UK data protection laws, and GDPR is incorporated into this. This can also be known as UK GDPR.

If your company operates in the European Economic Area (EEA), sells goods/services, or shares data to or from people in the EU then the EU GDPR still applies as well as the UK data regulations.  

The ICO (Information Commissioner’s Office), states that they’re planning to continue to work with EU authorities however they’ll no longer regulate activities specific to the EU.


The Bridge

Known as the bridge, the EU has agreed to delay restrictions to personal data transfer until the 30th of June 2021. 

Until then you should prepare to ensure that data transfer complies with the new regulations. The ICO has created a useful tool to help you understand how to do this. 

The government has also published a press release on the European Commission's draft data adequacy decisions to ensure seamless data transfer, whilst upholding a high level of data protection, between the EU and UK.  

If these data adequacy decisions are finalised then the sharing of personal data between companies won't need multiple guidelines. It must be noted that individuals can still provide information from anywhere in the world.


UK & EEA Representatives

If your business or organisation has a presence in the EEA or is a European company with a presence in the UK, you may need a representative to assist during this period. 

You will need an EEA representative if you offer goods/services, or monitor the behaviour of people in the EEA but you don’t have a branch or office in the EU. 

This doesn’t apply if you’re a public authority or if the data processed is low risk and infrequent.

The representative can either be a professional, company, or organisation based in the EEA, which is authorised to represent you under EU GDPR. 

On the other hand, you’ll need a UK representative if your business or organisation is based outside the UK but offer goods/services or monitor the behaviour of individuals in the country. 


Current UK Data Law 

Now the Brexit transition period is over, the Data Protection Act 2018 (DPA) still applies to online activities. 

The Data Protection Act is the UK version of GDPR and outlines “data protection principles” to ensure that information is handled and used appropriately. 

As you can imagine, legal protection is stronger for sensitive data including race, ethnicity, political opinions, religion, trade unions, genetics, biometrics, health, and sexual orientation. 


User Rights to Data

Anyone who has their data collected also has the right to request access to their data and have it erased or stopped. 

Under the Data Protection Act, they also have rights if their personal data is being used for automated processes or profiling (e.g. customer targeting).

However, companies have a legal responsibility to store certain records such as in Finance or HR for a certain period.

These activities might also still need to be maintained for reporting purposes so would just be anonymised.

According to the government, situations, where data can be withheld, include:

  • Preventing, detecting, or investigating crime

  • Armed forces national security

  • Tax collection or assessment

  • Judicial or ministerial appointments 


We hope that this has made the new data regulations simpler for you and your company or organisation to follow post-Brexit. 

If you need a hand with your website data and security, we are ISO 27001 accredited specialists and offer security audits, PCI compliance, penetration testing, data protection, and secure website development.  

Speak to us now

Call us on 0117 909 6967 

Contact form



Find out more about the services we offer