Does the GDPR still apply to the UK following Brexit?

01 May 2017

As many as a quarter of UK businesses may have stopped preparing for the General Data Protection Regulation (GDPR), mistakenly believing that they will not have to comply because of Brexit.

A survey of IT decision makers at UK companies by Crown Records Management found that 24% of UK businesses are no longer preparing for the GDPR, the upcoming EU data protection rules. A further 4% have not even begun preparations. 

In February, the UK government confirmed that it would adopt the GDPR by the May 2018 implementation deadline, which is before the UK is expected to leave the EU. The Information Commissioner’s Office (ICO) recently said that it intends to hire 200 additional staff to help with GDPR compliance. 

Even after the UK leaves the EU the country is expected to maintain data protection laws of a similar standard to the GDPR. Many UK companies that trade with Europe will also potentially need to comply with the GDPR, which applies to companies outside the EU that hold or process personal information of EU citizens. 

The Information Commissioner Elizabeth Denham said in September last year that, given the importance of the digital economy, the UK will need to have data protection laws that are “adequate and essentially equivalent” to the EU, post Brexit.

Download Cyber Decoder

For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on



Find out more

Read our Cyber Risks & Insurance Insights

Read more

Receive our monthly cyber risk newsletter