uk iconUK

Data protection rules in a post-Brexit world

The UK has left the European Union, but that doesn’t necessarily mean the end of GDPR.

Data protection rules in a post-Brexit world
smsfadviser logo

It’s been three years since the EU General Data Protection Regulation (GDPR) came into force in the UK, ushering in strict rules over how businesses acquire, store and use data.

But after the UK’s departure from the EU in January 2021, there have been questions from businesses as to whether GDPR still applies to them.

The Information Commissioner’s Office (ICO) has been working with companies to explain their ongoing responsibilities regarding data protection, but it can still seem like a confusing jumble of acronyms to decipher.

Put simply, there hasn’t been a huge change in regard to data protection for UK businesses since Brexit. As of 1 January, the EU GDPR ceased to directly apply to the UK, but effectively became part of UK domestic law.

All EU-derived UK domestic legislation (such as Privacy and Electronic Communications Regulations or PECR) continues to apply.

The applicable legislation for those organisations trading within the UK has changed from the EU GDPR to UK GDPR. The UK GDPR, like the ‘original’ GDPR, restricts transfers of data outside of the UK in much the same way.

“Organisations selling goods or services to the EU will almost certainly have to work with both sets of rules, but these are the same in principle with only relatively small differences they may be required to take account of,” says Peter Galdies, director at data protection and privacy consultancy DQM GRC.

So what can you do to comply with regulations?

One of the biggest challenges is that organisations are often unaware of what constitutes personal data and the data they are processing.

There can also be problems around having little documentation, poor policies, inadequate contracts with third parties, a poor standard of consent, insufficient staff training and a lack of a formal Data Protection Officer (DPO) when it is required by law.

So first and foremost, you need to be aware of your obligations.

“There are a lot of companies that don’t realise they are data controllers and need to register as one and that there is a charge for it,” says Emily Overton, principal consultant at Records Management Girl (RMGirl).

“They likely don’t meet the requirements for a DPO either and there are simple steps you can take to find out if you are meeting your obligations. Smaller organisations also need to be aware that, especially if they are operating online, they have obligations – but the main thing is to not panic,” she says.

It is also important you know the difference between Data Protection, Data Privacy and PECR.

As we talked about earlier, PECR sit alongside the Data Protection Act and the UK GDPR. They
give people specific privacy rights in relation to electronic communications, including rules on marketing calls, emails and texts, cookies and keeping communications services secure.

“One of the biggest things that is catching a lot of people out is about sending marketing emails: it is not Data Protection or GDPR,” says Overton. “You cannot rely on being a B2B or B2C [organisation] or that you think you have consent. You need to be able to prove it. It’s about no longer sticking your head in the sand and hoping it goes away. All those emails that went out in the run up to GDPR implementation were pointless and potentially unlawful because if you don’t have consent, you shouldn’t be sending them ‘opt back in’ emails.”

Elsewhere, Peter Galdies recommends cataloguing the data your business is processing and then completing a gap analysis to compare your current practice with what is expected in the UK GDPR and PECR regulations.

“Once the gaps are known the organisation should then seek to address these, prioritising those that are the biggest risk to the data subject and then the biggest risk to the organisation – they will often be the same.”

Tightening data security

Here are some practical tips from the ICO to help tighten up your data security.


Regularly back up your data and store it in the cloud, or somewhere other than your main workplace, if possible. If you’re using an external device as your back-up, you should encrypt it.


Make sure you and anyone else involved in your operations uses strong passwords – including on smartphones, laptops, tablets, email accounts and computers.

Educate yourself and those working for you on how to spot suspicious emails. Checking for obvious signs such as bad grammar, requests for you to act urgently, and requests for payment will help you avoid being caught out.


And keep it up to date. The National Cyber Security Centre has some useful advice and guidance on cybersecurity


Subscribe to Financial Accountant

Receive the latest news, opinion and features directly to your inbox