Data Protection: The UK’s post-Brexit plan

The Brexit position paper from the government, The exchange and protection of personal data, was released today (24 August 2017).  What may sound like a dry topic could actually have wide-ranging consequences for businesses. The government is keeping the UK synchronised with EU data policy, and that is important for many businesses – and not just those in high-tech sectors.

The Brexit position papers

This week has seen a series of papers outlining the UK’s starting position for negotiations with the EU on our post-Brexit frameworks.  In most cases, the papers should not be taken too seriously as they are a starting point or wish-list, designed to give UK businesses a sense of certainty and detail. The EU negotiators could demand wholesale changes before the final agreement is reached. However today’s paper is different in that most of the ideas in it can be implemented unilaterally by the UK Parliament. As a policy guide therefore, this paper is more important than the others.

Basics of the data position paper

The UK will bring forward a new Data Protection Bill and this will ensure that at the point of our exit from the EU, the UK’s domestic data protection rules will be aligned with the EU data protection framework.  This means enacting the EU’s General Data Protection Regulation (GDPR – more detail below) into UK law, essentially making the UK a continued part of the EU data protection framework even after Brexit.  This is important, not least because many businesses based here and on the Continent will want to continue collecting, using and protecting data in the same way across their European operations.


Synchronising data policy with the EU is very important for business. Much has been made of the future trade in goods, but arguably data rules affect more companies than trade rules do (not every company trades abroad, but virtually every company holds some kind of sensitive or personal data).  A data breach, even if completely contained within the UK, must be reported to the Information Commissioner or stiff fines can be levied (see below).

Importantly, the rules protect the data of any EU citizen, no matter who holds the data or where in the world it is held.  Today’s paper proposes continuing that level of protection for UK citizens’ data after Brexit.  That means that if a company based in and collecting data in, say, the United States breaches UK citizens’ data privacy and does not report it, the UK government could impose significant fines.  (Of course in practice the capacity to enforce those fines will vary between jurisdictions).  This makes the UK essentially part of the EU’s data protection framework.

Summary of the GDPR

The EU’s General Data Protection Regulation (GDPR) becomes applicable in the UK on 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.  It will be enforced by the UK Information Commissioner’s office.  The GDPR applies to ‘controllers’ and ‘processors’ of data –  the controller says how and why personal data is processed and the processor acts on the controller’s behalf. If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR. Companies have to report data breaches to the Information Commissioner’s office and if they break GDPR rules they can be subject to fines of up to 4% of the company’s worldwide turnover or 20 million Euros, whichever is greater. This level of sanction makes the GDPR controversial.

The full report is available here: