info@edpo.com
GDPR and Brexit: How Data Protection Will Be Impacted
Data protection is unlikely to be at the forefront of companies’ minds during this period, but there are real issues facing UK-based data controllers and processors thanks to the GDPR.
Once the transition period ends, the UK could be a third country, which means data transfers will become infinitely more complicated.
Here’s what you need to know about the GDPR and Brexit.
Will the GDPR Apply After Brexit?
Yes, the GDPR will still apply to UK businesses after Brexit because it is a European regulation that protects individuals in Europe. However, there will be two differences for all British people and businesses.
First, people in the UK no longer fall under the protections of the GDPR. As a result, you will not need to uphold the rights of the data subjects among UK residents, even if they are European. The GDPR covers their domicile, not their nationality.
Second, UK organisations will still need to meet the demands of the GDPR if they process data from data subjects who are in the EU. As a result, most UK organisations will still need to be GDPR compliant regardless of any trade or Brexit deals. This is already true for third party countries, of which the UK will soon be one.
The third party country status will be a significant change for UK data controllers and processors because you will need to prove that you handle data in a way that’s conducive to the GDPR.
The UK: A Safe Place for Data Post-Brexit?
The GDPR requires any third country data transfers to be (1) declared and (2) to occur only with countries designated as ‘adequate’ by the European Commission.
Countries with adequacy are those that use an EU-equivalent level of data protection. As a result, they aren’t bound by Article 46 and 47, and data flows between the EU and these countries without limits or checks. At present, countries recognized as being adequate for data transfers include Andorra, Argentina, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay.
The U.S., Canada and Japan are also included, but there are limitations to data transfers to these three countries. In Canada, only commercial organisations benefit. Additionally, the US-EU Privacy Shield only recognises transfers from U.S. companies who sign up to the framework. In Japan, the adequacy decision only covers private sector organisations.
What comes next for the UK will depend on any data protection agreements worked out in the transition period. The UK already uses the Data Protection Act 2018, which issued requirements similar to the GDPR in terms of privacy and transparency.
However, the most comprehensive understanding of what will be the UK version of the GDPR can currently be found in the Data Protection, Privacy and Electronic Communications (EU Exit) Regulations 2019.
Second, UK organisations will still need to meet the demands of the GDPR if they process data from data subjects who are in the EU. As a result, most UK organisations will still need to be GDPR compliant regardless of any trade or Brexit deals. This is already true for third party countries, of which the UK will soon be one.
The third party country status will be a significant change for UK data controllers and processors because you will need to prove that you handle data in a way that’s conducive to the GDPR.
Will Companies Be Able to Send Data Between the UK and the EU?
At present, the UK government does not intend to consider the EU a third party country in terms of UK data processing. As a result, UK companies are able to continue sending data to the EU. However, the EU has not reciprocated this commitment, which means that EU data transfers to the UK will face restrictions.
The results are likely to be messy. UK-based organisations will struggle to serve customers within the EU. It will also present unique challenges on the island of Ireland as well as for Gibraltar/Spain, where ties with the EU are intimate.
Lifting the restrictions will depend on the UK and each relevant company meeting the EU’s safeguards for supporting data transfers. The requirements for third country data transfers are detailed in Chapter V of the GDPR.
When Will the Data Transfer Rules Change?
The Withdrawal Agreement acknowledged by the EU and the UK government stipulated a transition period to last from January 31, 2020 to December 31, 2020. During this period, the UK agrees to continue following EU laws and regulations despite the ‘exit’ taking place in January.
As a result, data transfers (and the provisions or rights) will continue as normal for both EU and UK companies and residents for the duration of 2020.
On January 1, 2021, the UK will no longer fall within the category of a ‘Member State’ and will then become a third country.
However, there will not be a clean break. Any EU-originating data in the UK prior to the end of the transition period still benefits from the GDPR as written and amended by the EU. The product is a backstop that continues to protect the privacy of individuals in the EU regardless of the outcome of negotiations for 2021 and beyond.
Ideally, the GDPR will then be superseded by the UK’s adequacy decision, granted by the EU.
Will UK Companies Need an EU Representative?
If your UK company won’t have an EU office and you intend to accept the data of individuals in the EU (including UK citizens living within the EU), then you will need to appoint an EU representative.
An EU representative is not a Data Protection Officer (DPO). Instead, an EU representative is a natural person or body within the European Union who is able to communicate with individuals in Europe, as well as regulators, and potentially the European Commission, on your behalf. (A DPO works with your company or organisation to facilitate compliance.)
UK companies will not already have an EU representative because there is no need for one. It will be a new position given that the UK is understood to be a ‘Member State’ for regulatory purposes until January 1, 2020.
To be compliant with the GDPR, you will need a representative in place by the end of the transition period.
The Relationship Between the GDPR and Brexit is Not Yet Settled
During the transition period, the GDPR continues to apply to the UK. However, the relationship between the GDPR and Brexit beginning in 2021 is unsettled. Once the UK is no longer a ‘Member State,’ it becomes a third country, and it will need to negotiate adequacy status with the EU. What this entails and how long it will take is largely up in the air, as both parties must agree.
Are you a UK-based data controller or data processor wondering about what comes next on January 1, 2021? EDPO can help you fulfill your need to appoint an EU representative, which will keep you compliant with the GDPR. Take our quick assessment to find out if Article 27 will apply to your data processing activities after Brexit.
5 GDPR mistakes US companies make in 2025 – and how to avoid them
The General Data Protection Regulation (GDPR) continues to apply to many US companies in 2025, even if they do not have a physical presence...
GDPR and US companies: Up close with a Privacy Shield official
On Tuesday 26 May, EDPO hosted an exclusive webinar on GDPR and US companies with a Privacy Shield official. Rochelle Osei-Tutu shared her...
Are your Data Processors fit to be EU Representative under Article 27 GDPR ?
Appoint your data processor as EU Representative and tick off article 27 GDPR? The Croatia Personal Data Protection Agency(“AZOP”) says no....
About the author
Jane Murphy
The General Data Protection Regulation (GDPR) continues to apply to many US companies in 2025, even if they do not have a physical presence in the European Union. Despite years of guidance and enforcement, the same misunderstandings keep reappearing. Here are five of the most common GDPR mistakes US companies make — and how to avoid them.
Mistake 1 – Confusing the Data Protection Officer (DPO) with the EU GDPR Representative
An EU GDPR Representative is a local contact point for data protection authorities and individuals in the EU. Non-EU companies that are subject to the GDPR must appoint a representative to ensure smooth communication and compliance.
A Data Protection Officer (DPO) is responsible for overseeing a company’s internal data protection strategy and ensuring compliance with the GDPR. The DPO monitors data processing, conducts audits, and trains staff.
The DPO works inside the organisation, while the GDPR Representative is based in the EU and acts as an external contact point. Many US companies confuse the two roles, but under the GDPR, they are separate obligations and sometimes both are required.
Mistake 2 – Misunderstanding the extraterritorial scope of the GDPR
The GDPR applies to non-EU companies if they offer goods or services to individuals in the EU or monitor their behaviour online. This applies regardless of where the company is located.
Selling products to EU customers, operating an EU-facing website in EU languages, accepting payments in euros, or tracking EU visitors with cookies or analytics tools can all trigger GDPR obligations.
Mistake 3 – Incorrectly relying on the Privacy Shield (now EU-US Data Privacy Framework)
The Privacy Shield was an agreement that allowed certified US companies to transfer personal data from the EU to the US. In 2020, it was invalidated by the Court of Justice of the European Union in the Schrems II decision.
In 2023, the EU-US Data Privacy Framework (DPF) replaced the Privacy Shield. While participation in the DPF can help facilitate transatlantic data transfers, it does not exempt companies from GDPR compliance.
US companies must ensure that data transfers are lawful under the GDPR. This may involve joining the DPF, using Standard Contractual Clauses (SCCs), or implementing other approved safeguards.
Mistake 4 – Incomplete or unclear privacy policies
The GDPR requires privacy policies to be clear, accessible and transparent. They must explain what personal data is collected, how it is used, the legal basis for processing, and the rights of data subjects.
Many US companies omit details such as data retention periods, contact information for the EU Representative, or instructions on how to exercise data subject rights.
Mistake 5 – Underestimating GDPR fines and enforcement
Data protection authorities have issued fines to companies of all sizes, including non-EU businesses. In 2025, penalties for non-compliance remain high — up to €20 million or 4% of annual global turnover, whichever is higher.
Regular compliance reviews Data Protection Impact Assessments (DPIAs), staff training, and appointing an EU GDPR Representative can help mitigate risks.
How EDPO can help your business stay GDPR compliant
EDPO acts as your official EU GDPR Representative, ensuring compliance with Article 27 of the GDPR and facilitating communication with EU authorities.
For companies targeting the UK market, EDPO also offers UK GDPR Representative services to ensure compliance with the UK’s data protection regime.
Follow us on Linkedin for daily breaking GDPR news!
The General Data Protection Regulation (GDPR) continues to apply to many US companies in 2025, even if they do not have a physical presence in the European Union. Despite years of guidance and enforcement, the same misunderstandings keep reappearing. Here are five of the most common GDPR mistakes US companies make — and how to avoid them.
Mistake 1 – Confusing the Data Protection Officer (DPO) with the EU GDPR Representative
An EU GDPR Representative is a local contact point for data protection authorities and individuals in the EU. Non-EU companies that are subject to the GDPR must appoint a representative to ensure smooth communication and compliance.
A Data Protection Officer (DPO) is responsible for overseeing a company’s internal data protection strategy and ensuring compliance with the GDPR. The DPO monitors data processing, conducts audits, and trains staff.
The DPO works inside the organisation, while the GDPR Representative is based in the EU and acts as an external contact point. Many US companies confuse the two roles, but under the GDPR, they are separate obligations and sometimes both are required.
Mistake 2 – Misunderstanding the extraterritorial scope of the GDPR
The GDPR applies to non-EU companies if they offer goods or services to individuals in the EU or monitor their behaviour online. This applies regardless of where the company is located.
Selling products to EU customers, operating an EU-facing website in EU languages, accepting payments in euros, or tracking EU visitors with cookies or analytics tools can all trigger GDPR obligations.
Mistake 3 – Incorrectly relying on the Privacy Shield (now EU-US Data Privacy Framework)
The Privacy Shield was an agreement that allowed certified US companies to transfer personal data from the EU to the US. In 2020, it was invalidated by the Court of Justice of the European Union in the Schrems II decision.
In 2023, the EU-US Data Privacy Framework (DPF) replaced the Privacy Shield. While participation in the DPF can help facilitate transatlantic data transfers, it does not exempt companies from GDPR compliance.
US companies must ensure that data transfers are lawful under the GDPR. This may involve joining the DPF, using Standard Contractual Clauses (SCCs), or implementing other approved safeguards.
Mistake 4 – Incomplete or unclear privacy policies
The GDPR requires privacy policies to be clear, accessible and transparent. They must explain what personal data is collected, how it is used, the legal basis for processing, and the rights of data subjects.
Many US companies omit details such as data retention periods, contact information for the EU Representative, or instructions on how to exercise data subject rights.
Mistake 5 – Underestimating GDPR fines and enforcement
Data protection authorities have issued fines to companies of all sizes, including non-EU businesses. In 2025, penalties for non-compliance remain high — up to €20 million or 4% of annual global turnover, whichever is higher.
Regular compliance reviews Data Protection Impact Assessments (DPIAs), staff training, and appointing an EU GDPR Representative can help mitigate risks.
How EDPO can help your business stay GDPR compliant
EDPO acts as your official EU GDPR Representative, ensuring compliance with Article 27 of the GDPR and facilitating communication with EU authorities.
For companies targeting the UK market, EDPO also offers UK GDPR Representative services to ensure compliance with the UK’s data protection regime.