Brexit means GDPR won't directly apply to the UK - but it still matters

ICO will call on government to reform UK data protection laws - probably to mirror GDPR

The UK's decision to leave the European Union in yesterday's referendum will mean that the upcoming EU reforms to data protection law will not directly apply to the UK, according to the Information Commissioner's Office (ICO).

In a statement, the ICO said that while the Data Protection Act remained the law of the land irrespective of the referendum result, the upcoming General Data Protection Regulations (GDPR) in the EU will not directly apply to the UK once it has left the EU.

However, it emphasised that if the UK wanted to trade with the single market on equal terms, it would have to prove "adequacy" - in other words, UK data protection standards would have to be equivalent to the EU's GDPR framework starting in 2018.

"With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens. The ICO's role has always involved working closely with regulators in other countries, and that would continue to be the case," the ICO said.

It added that clear laws with safeguards were needed now more than ever because of a growing digital economy, and explained that it would be speaking to the government to present its view that reform of the UK law remains necessary.

Peter Galdies, development director at data governance, risk and compliance firm DQM GRC, suggested that it will be a number of years before Brexit has an impact on the legislative framework for privacy.

"After Article 50 is invoked, which gives our official 'notice' to leave the EU (which now looks likely to be after October 2016), there will be a mandatory two year minimum period in which we remain a member of the EU whilst we negotiate an exit. During this time all existing legislation (including GDPR) will continue as before. Many forecast that this process might take much longer - with many estimates between three and six years," he said.

Galdies explained that companies that are already managing, storing or processing personal data relating to EU clients, prospects or employees will have to continue to have to do so according to the requirements of the GDPR regardless of Brexit, or they will be in breach of the GDPR and risk large fines.

"For many organisations nothing will change - the GDPR will apply even when we leave," he said.

He believes that the UK will eventually adopt legislation directly modelled on the GDPR.