Will the GDPR still apply if the UK leaves the EU without a deal?
As long as the UK is a Member State of the EU, the GDPR has direct effect and applies to UK businesses as well as national data protection laws.
Without an exit agreement with the EU, the UK will become a so-called third country on the day it officially leaves the EU. Thus, the UK will leave without any transitional arrangements, and all EU law will cease to apply to the UK.
In a no-deal Brexit scenario, the GDPR – as it is an EU Regulation – will no longer apply. However, UK businesses and organisations will still have to comply with UK data protection law. According to the UK Information Commissionaire’s Office (ICO), the government intends to incorporate the GDPR into UK data protection law once the UK has left the EU.
For businesses that operate in the EU and provide goods or services to individuals in Europe or monitor the behaviour of individuals in Europe, the GDPR will still apply (at least with respect to processing personal data of data subjects in the EU). EU businesses transferring data to UK businesses will need to ensure that they only cooperate with businesses that ensure adequate data protection safeguards. Therefore, UK businesses are well advised to continue applying the GDPR, as in practice, very few changes to the core data protection principles, rights and obligations found in the GDPR are expected.