Data Transfer after Brexit

It is fair to say that data is power and bodies such as the European Union are recognising this more and more. Unfortunately, over the years we have seen massive abuse of power and insecure systems which have opened up alarming privacy issues. While some might suggest that the European Union went overboard with the General Data Protection Regulation (GDPR) this has tightened privacy, data protection and backup procedures. So, in the aftermath of Brexit how will UK companies be able to abide by European GDPR regulations and deal with EU citizens?


GDPR extends beyond the European Union

When GDPR came into force on 25 May 2018 it did so with a major fanfare, media headlines and doomsday scenarios. Thankfully, there was more than a modicum of common sense with the authorities introducing a period of leniency. This allowed businesses and bodies holding private information to adjust to the new environment and get their house in order. However, during this fanfare some businesses failed to realise that GDPR stretches beyond the boundaries of the European Union.


Data Transfer outside of the European Union

While the UK authorities look to secure an extremely tight working relationship with their European counterparts after Brexit, data protection will be a major issue for many companies. The GDPR is now common business practice across all European Union businesses and bodies processing personal data. It also takes in to account non-European Union operations. The fine print confirms that GDPR also relates to:-

Non-EU controllers and processors who process the personal data of individuals in the European Union

This covers the offering of goods, services and the monitoring of European Union citizens and could potentially lead to significant fines for non-compliant bodies.


UK companies

The situation with data processing and data transfer within the UK post Brexit is not straightforward. We already know that the UK has adopted GDPR. What’s more, many entities both public and private have already spent millions of pounds doing so. Scare stories may suggest that UK companies/bodies will be unable to transact with European customers in the future. However, the facts may well be very different from the fiction.


Continued GDPR compliance

It is highly unlikely that the UK government will ditch GDPR even when the UK has left the European Union. There are two main reasons for this conclusion:


Recent expenditure

UK based companies and private/public bodies have literally spent millions of pounds over the last few years to comply with GDPR. This ensured that they were able to collect and process the data of European citizens while also ensuring its security. There is no reason why the UK government would replace a recognised set of regulations. Doing so could cost multi-million pounds yet again.


Trading with the European Union


If the UK government decided to retain GDPR then this would go a long way. It could possibly bridge gaps between the UK and the European Union post Brexit. There would be no concerns regarding the processing of the data of European citizens. Security and various levels of protection would also remain part of UK law. Changing GDPR, and then going through some kind of recognition process with the European Union, would place more hurdles in front of a long-term trade agreement.


Conflict with local laws

We know from feedback regarding GDPR that some non-EU countries experienced a conflict with their local laws when attempting to introduce GDPR. As ever, there are ways and means around these legal technicalities. However, if the UK was to maintain GDPR after Brexit there would be no such conflicts. As mentioned above, this would remove a potential hurdle in pursuit of a long-term trade agreement. However, perhaps more importantly, it would make UK companies dealing in Europe more competitive/compliant than their international counterparts.

The degree of trust this would create between UK companies/bodies when dealing in the EU could prove priceless.


Protecting UK citizens

If you think about it, the UK government is now fully compliant with GDPR. This gives UK citizens a greater sense of security regarding their private data. Companies are now legally obliged to protect this data, introduce enhanced security and limit access to such information. There is also the opportunity for individuals to request a copy of their data held with EU companies/bodies. This ensures that companies are now more focused on maintaining accurate records and introducing new procedures to meet these requirements. Data breaches, security issues and abuses of information held on individuals can quite literally dismantle a company’s hard earned reputation overnight.


UK hosting companies

The deeper you look into the subject of GDPR the less likely it is that the UK government will tinker with this in any way. E-commerce hosting and online data collection is now an integral part of everyday life. UK hosting companies were forced to comply, at no small cost, with European GDPR regulations and they would not welcome a replacement regulatory structure. Server security has been enhanced and SSL certified websites will very soon be standard, which creates the perfect platform for UK businesses to transact with European customers.

For certain UK hosting companies would need to adjust their services in line with future changes to European GDPR laws. For many Brexiteers this may seem a step too far. Still, in order to maintain a strong trading relationship, the UK may need to follow where the EU leads.


GDPR fines

Where serious data protection infringements, phishing scams and non-compliance with GDPR have taken place, involving information relating to EU citizens, the EU is able to instigate significant penalties. Aside from a probable trial by media, and potential damage to reputation, the financial penalties are significant. EU Data Protection Authorities can implement fines up to €20 million or 4% of annual worldwide turnover. To establish a line of communication, all companies dealing with EU citizens must have a specific point of contact identified within their operation. The illegal transfer of European citizen data or security breaches could prove extremely costly. Especially to large international companies with EU business ties.



The transfer of European citizen data within the European Union and to companies/bodies outside of the EU is covered in detail by GDPR. In many cases you could argue that UK companies, even post-Brexit, have a competitive edge over their non-EU counterparts. The UK government has already implemented GDPR in full. It is still a member of the European Union, so full compliance is already in place. The level of compliance with EU law may need to be reviewed on a regular basis. However,  in theory, the UK and the European Union already operate on the same data protection platform.

On the downside, Brexiteers will complain that abiding by EU GDPR laws means that the UK will need to adapt. That is, if the EU decides to change/amend these in the future. For many UK online (and off-line) businesses this is a relatively small price to pay for their continued relationship with EU based customers. Indeed, GDPR has been heavily covered in the UK press. It already offers UK citizens a greater sense of security when it comes to protection of their data held by third parties. There is no conceivable benefit for the UK government to undo all the previous GDPR prep and integration work.