"Theresa May’s Brexit Speech – What does it mean for the EU General Data Protection Regulations (GDPR)?"Theresa May’s speech on the 17th January outlined the UK Government’s approach to negotiations with the EU and aimed to provide greater clarity on the objectives of negotiations and the term “Brexit means Brexit”. The speech made clear the plan to leave the EU single market, raised the prospect of sector-by-sector deals in relation to tariff free trade and the customs union and confirmed again the desire to end the jurisdiction of the European Court.

What does this position mean with regard to EU General Data Protection Regulations (GDPR) compliance and does it reduce the need for businesses and organisations to implement the requirements before May 2018?

GDPR comes into full operation on 25th May 2018 and so will be directly applicable to the UK. Before Brexit, the GDPR will be law in the UK. Post Brexit, the GDPR along with other EU derived laws will be transposed into UK law as part of the Great Repeal Bill so the GDPR in the short term will continue to have effect until, and unless, the UK Parliament decide to repeal the GDPR. Even if the Repeal Bill does remove the GDPR at a future date, the UK will need to ensure ‘adequacy’ as a third country to lawfully exchange data with the EU member states.

However, there are decisions which need to be taken and clarification sought on specific matters in the short term during the UK exit negotiations with the EU to ensure the continuing cooperation between the Information Commissioners Office (ICO) and EU data protection regulators and crucially to permit the continued lawful transfer of data between the UK and EU member states post Brexit.

For example, institutional cooperation lies at the heart of the GDPR. It establishes the new European Data Protection Board (EDPB). The Board has specific responsibility for the GDPR’s “consistency mechanism”, designed to ensure cooperation and consistency between national data protection regulators within the EU (for example when it comes to decisions relating to enforcement action and the level of fines issued for infringements under the GDPR).

What that cooperation would look like between the ICO and the EU regulators post Brexit remains unclear. Since we are moving to a Brexit which involves the UK leaving the EU in its entirety then the UK would almost certainly be classed as a “third country” and there is no reason to expect the ICO to have an ongoing presence on the EDPB (whether formal or otherwise) post Brexit.

It is also worth noting that the EDPB functions includes, inter alia, on advising the EU Commission in relation to the adequacy of data protection laws and measures adopted by “third countries”. Such adequacy determinations by the EU Commission are critical to deciding whether data can flow freely between the EU and countries sitting outside the EU.

Any assessment of adequacy in relation to the UK’s data protection regime would encounter difficulty if the UK does not adopt the GDPR in full or if there are any subsequent attempts to water down the Regulations.


It is for the EU Commission to decide when, or indeed whether, to make an adequacy decision in relation to UK data protection law. Simply “adopting” the GDPR would not in itself guarantee that such a decision would be made although one assumes it would be more likely.

As part of the UK Government’s timetable to exit the EU, one would expect the ICO to play a pivotal role in ensuring the UK secures a positive assessment of adequacy based on our full adoption of GDPR. Failure to do so would be bad for business and could potentially inhibit the freedom to exchange data between the UK and EU.

For more information on how EU GDPR will affect your business or organisation, speak to one of our data protection specialists on:


T: +44 (0)20 7090 1091

Article Author.

Ivana Bartoletti

Head of Privacy and Data Protection
Ivana Bartoletti is the Head of Privacy and Data Protection at Gemserv. Her years of experience in the field span... Read More From Ivana Bartoletti

Our Latest Insights.

Our work means different things to different clients and we wanted to share some details of the projects we have managed to give you an insight into our capabilities and the impact we have delivered as a business.


View All Insights

Say Hi.

Did you like what you read? Did you want to find out more about the subject? Or did you simply want to get in touch with us? Either way if you would like to get in touch with us you can do so using the form on the right.

Gemserv will use your details to get in touch with you and to send you information about our products and services that you have requested, in accordance with our privacy policy. You can, of course, opt out of these communications at any time!

Get In Touch

Want to find out more?

Follow the links below find out more about the services we provide, our insight into the industries we serve or the opportunities available with us.
Sectors Capabilities Our Insights Careers