GDPR and Brexit

The debate over Brexit is raging in Parliament. The outcome will have far-ranging impacts across the UK. If your business either sends personal data to another EU country or operates in the European Economic Area (EEA), there will be additional considerations for organisations. As no firm decisions have been made on Brexit, businesses in the UK will need to have provisions in place for both outcomes. 

Big Ben from Westminster Bridge, London

At the moment, data flows freely between the UK and EU since the UK is still a member state. That could all change based on the outcome of Brexit. 

Although some scenarios might seem unlikely, given the existence of local laws and regulations such as the Data Protection Act, businesses in the UK will need to prepare for all outcomes. Here are two possible outcomes as a result of the UK leaving the EU:

Brexit Deal (Includes Adequacy): A deal to bring the UK out of Europe with an adequacy agreement in place ensures the secure third country status. This agreement and status will not automatically mean that organisations and businesses based in the UK will be deemed to have adequate security measures in place to protect the rights and freedom of EU data subjects. Additional thought should still be given to the legality of the data transfers and other applicable legal requirements.

No Brexit Deal: (Without Adequacy): In the event of a No Deal Brexit and no adequacy agreement, there will remain uncertainty about secure-country status. If UK is deemed an insecure third country, the following GDPR Articles and stipulated requirements could be directly impacted:

  • Art. 40 GDPR Codes of conduct
  • Art. 42 GDPR Certification
  • Art. 44 GDPR General principle for transfers
  • Art. 45 GDPR Transfers on the basis of an adequacy decision
  • Art. 46 GDPR Transfers subject to appropriate safeguards
  • Art. 47 GDPR Binding corporate rules
  • Art. 48 GDPR Transfers or disclosures not authorised by Union law
  • Art. 49 GDPR Derogations for specific situations
  • Art. 63 GDPR Consistency mechanism

In the unlikely scenario of the UK becoming an insecure third country, additional measures to attain a status of adequacy (organisational) may be required. It is recommended that organisations and businesses in the UK prepare for all scenarios given the great deal of uncertainty the UK currently faces.

Reduce Your Uncertainty

Professional consultants can be the solution to the dilemma of not having enough knowledge and expertise to handle the latest regulations. Cipher provides an array of GDPR assessment and consulting services to help customers gain a holistic view of their state of compliance.

Get Brexit Status Review

To get an understanding of how your organisation can get prepared, request a consultation.

Did you enjoy this blog article? Comment below with your feedback.



Founded in 2000, CIPHER is a global cybersecurity company that delivers a wide range of Managed Security Services and Security Consulting Services. These offers are supported by the best in class security intelligence lab: CIPHER Intelligence. With offices located in North America, Europe, and Latin America, 24×7×365 Security Operations Centers and R&D laboratories, the services are complemented by strategic partners around the globe. CIPHER is a highly accredited company holding ISO 20000 and ISO 27001, SOC I and SOC II, PCI QSA and PCI ASV certifications. We have received many awards including Best MSSP from Frost & Sullivan for the past six years.

Our clients consist of Fortune 500 companies, world-renowned enterprises, and government agencies with countless success stories. CIPHER provides organizations with proprietary technologies and specialized services to defend against advanced threats while managing risk and ensuring compliance through innovative solutions.

Recent Security Posts


Twitter Feed