Brexit transition keeps GDPR obligations in force for UK organizations
The UK exited the EU on 31 January 2020, but the Withdrawal Agreement preserves EU GDPR and ePrivacy rules during the transition period through 31 December 2020, requiring organizations to maintain GDPR compliance and cross-border data transfer safeguards.
Executive briefing: The UK formally left the EU on 31 January 2020, triggering a transition period under the Withdrawal Agreement. EU data protection law continues to apply in the UK during this period, so organizations must keep GDPR compliance programs and cross-border transfer mechanisms in place through at least 31 December 2020.
Why it matters
- Data flows between the UK and EU remain subject to EU GDPR during the transition, avoiding immediate disruption but requiring ongoing compliance.
- Controllers and processors must maintain records of processing, DPO appointments, breach notification processes, and data subject rights handling as if the UK were still an EU Member State.
- Organizations should use the transition to prepare for potential future divergence and to validate Standard Contractual Clauses or other transfer tools for EU-to-UK data flows after 2020.
Operator actions
- Confirm that GDPR governance artifacts (RoPA, DPIAs, breach response playbooks) remain current and cover UK processing activities.
- Ensure EU-to-UK data transfer mechanisms (SCCs or Binding Corporate Rules) are in place in case adequacy is not finalized by year end.
- Update public privacy notices to clarify that GDPR continues to apply during the transition period.
- Brief product and vendor teams that ePrivacy cookie and consent rules remain unchanged for UK operations until at least 31 December 2020.
Key sources
- UK Government transition guidance (confirms EU law, including data protection rules, continues during the implementation period).
- ICO: Data protection and Brexit (advises that GDPR requirements stay in force through the transition and outlines transfer preparations).