Brexit and the GDPR

If you are a UK company who processes the personal data of EU citizens, it is possible that Brexit will affect the data privacy management in your business. Currently, the UK and EU have agreed to a 6-month grace period (ending in July 2021 or when and adequacy decision is made) where personal data can freely flow between the EU and UK. This grace period is so that the EU Commission can decide on the whether to give the UK ‘adequacy status’.

The ideal outcome for UK and EU businesses is if the adequacy status is granted. This will create the least amount of disruption for businesses and, from a data protection standpoint, will mean business as usual. If the UK is not granted adequacy status, then this will generate a significant amount of administrative paperwork in the form of overhauling contracts between UK and EU businesses and nominating GDPR representatives in the UK or the EU.

 Are you exporting goods to the EEA?

UK companies exporting goods or services to the EEA may need to prepare if the UK does not gain adequacy status. Contracts will need significant alterations.

Are you Exporting to the UK?

EEA companies with no establishment in the UK who are exporting products and services to the UK will need to nominate a UK representative.

Are you monitoring EEA individuals?

UK companies monitoring EEA citizens will need to appoint an EU representative.

Tacita's Post-Brexit Services

To assist companies with a post-Brexit transition, Tacita is offering guidance and advice on how businesses can govern their data privacy environment under the new UK-GDPR. Guidance is charged as stated below with the first 20 minutes free of charge:

  1. 20 mins free consultation get a top-level understanding of your business to determine if/how severely you may be affected.
  2. 2 hours discussion charged at £120.
    • Go through key points of Brexit’s impact on data protection laws and the establishment of the UK-GDPR.
    • Answer any questions that you have regarding the changes and how this may affect your contracts.
  3. 4 hours discussion charged at £200.
    • As above plus a basic data mapping process. This will identify where personal data is flowing from your business to the EEA, enabling your business to scope your risk and develop a strategy for compliance with new laws.
  4. 10 hours charged at £400.
    • As above plus Tacita will create a detailed activity plan based on your specific needs. The plan will include timing of activities and overall work effort.
    • Q&A support for your organisation as you undertake the activities needed to migrate to UK-GDPR and EU-GDPR compliance.

What is happening with data privacy in the UK post-Brexit?

On the 31st December 2020, the transition period for Brexit ended. As the GDPR is an EU law, UK companies may be questioning if the GDPR still applies to them, or how it will affect the transfer of personal data between the UK and EU.


In the lead up to the end of the transition period, the UK government decided that it would write the existing GDPR laws into UK law. These new laws have been named the ‘UK-GDPR’. Currently, the UK-GDPR is functionally identical to the ‘EU-GDPR’. The only changes have been to switch references of the EU to the UK.


Although the rules are functionally identical, because the EU and UK are no longer part of the same trading bloc, companies may have to make administrative changes. The administrative changes are caused because under the UK-GDPR the EU is a 'third country' and under the EU-GDPR the UK is a 'third country'. This description in the law means that when data is transferred between the UK and EU stricter safeguards need to be put in place to protect personal data, e.g. standard contractual clauses. Tacita has a full news article on the implications of this here.

Send us a message

Telephone: +44 20 4526 5699
Email: contact@tacita.io

To see how we use your data, see our Privacy Notice.