What Does Brexit Mean For Data Protection in the UK?

3 May 2017


If you thought Brexit meant you could avoid EU data protection rules, you’d be sadly mistaken, as the regulations will still apply to UK companies dealing with the EU regardless of the UK’s exit from the union. So with the biggest change to EU protection in 20 years on the horizon, UK data controllers are taking on the task of planning for implementation of the new General Data Protection Regulation (GDPR), with the added complication and uncertainty of Brexit and its possibly protracted negotiations.

A date has been set of Friday 25th May 2018 for the GDPR to come into force, although in a recent poll, 44% of IT professionals indicated they were unaware or only vaguely aware of the new rules.

Even though the UK has voted to leave the EU, UK organisations are likely to be heavily influenced by EU data protection and cyber security laws for a good while yet, with the GDPR’s go-live date set to pre-empt the UK’s departure from the EU. This means that UK companies need to prepare to meet the new regulations to avoid facing penalties.

When the current Data Protection Act was written into law in 1995, Google was 3 years away, and Mark Zuckerberg was just 11 years old. So with massive changes in the digital landscape since then, it’s clear that the DPA is long overdue an update.


“The referendum result has thrown our data protection plans into a state of flux. What hasn’t changed are the strong data protection rules the UK already has. We need those rules to ensure cross-border commerce, not to mention the privacy protections citizens and consumers expect.” Elizabeth Denham, UK Information Commissioner


Some of the key changes to be aware of include:

Security breaches: As soon as the data controller becomes aware that a personal data breach has happened, the Information Commissioner’s Office (ICO) must be notified no more than 72 hours later, unless the controller can demonstrate that the breach is not likely to result in a risk for the individuals’ rights and freedoms.

Enhanced data subjects’ rights: The new ‘Right To Be Forgotten’, means that, with a few exceptions, data subjects will be able to insist that their personal data is erased by the data controller and not processed any longer.

Consent: GDPR will mean that data controllers will need to demonstrate a legitimate reason for processing personal data, that consent was freely given, informed and specific for each purpose that data is being processed. Silence or pre-ticked boxes will no longer cut it when it comes to consent.


Commit to secure computer recycling to ensure data protection.


Regardless of the new regulations, responsible computer recycling is vital, if you want to keep your organisational secrets to yourself and your clients’ data secure. So if your company is one that is committed to the ethical recycling of its obsolete computers and technology products, make sure secure and environmentally friendly computer recycling that adheres to proper recycling regulations is part of your consideration, to ensure ultimate data security. It’s also important to be aware that companies are now legally obliged to safely dispose of potentially sensitive information in accordance with current security laws and the Data Protection Act of 1998. Be sure only to use a computer recycling company that operates in accordance with, and preferably exceeds all government guidelines such as the WEEE Directive and the Data Protection Act.

Back to News

Instant Quotation