On January 31, 2020, the United Kingdom (UK) is planning on exiting the European Union. (EU) This will impact the privacy world in many ways. In this blog post, we’ll cover exactly what you need to know about Brexit and the transitions the UK and the EU are going through. 

Sign up for the webinar, Brexit Privacy Implications: What We Know About the UK’s Exit from the EU 

The Withdrawal Agreement Act 

The UK’s EU Withdrawal Agreement Act calls for a transition period from January 31, 2020, to December 31, 2020, giving the EU and the UK eleven months to adjust to the new changes. During this time frame, the EU’s GDPR and the UK’s DPA will continue to apply. 

On 23 January 2020, the UK Parliament ratified the agreement by passing the Withdrawal Agreement Act. On 29 January 2020, the European Parliament ratified the withdrawal agreement. The EU and the UK are fully “committed to ensuring a high level of personal data protection to facilitate such flows between them.” 

The EU Withdrawal Agreement Act keeps the GDPR in UK law and gives the government power to make appropriate amendments to ensure that it works effectively in a UK context. With the intent of using these powers to make necessary amendments to the GDPR, the UK government is removing references to EU institutions and procedures that are not directly relevant to the UK. 

Refresh: What is the General Data Protection Regulation (GDPR) and what is the UK Data Protection Act (DPA)? 

The General Data Protection Regulation (GDPR) is an EU regulation meant to improve privacy and give greater control to customers and citizens over their personal information and how it is used. 

The UK Data Protection Act (DPA) controls how your personal information is used by organizations, businesses or the government. The UK DPA is the UK’s implementation of the GDPR. 

Core concepts of the UK DPA and the GDPR include: 

  • Restrictions on how and why businesses can process personal data 
  • Additional protections for Sensitive Personal Data 
  • Privacy by design and privacy by default requirements 
  • Opt-in consent as a legal basis of processing 

What are the UK Government’s Current Plans for Data Protection? 

The UK Government plans to write the GDPR into UK law as an amended version of the UK DPA. It will apply to controllers and processors based outside of the UK if their processing activities relate to: 

  • Offering goods or services to individuals in the UK; or 
  • Monitoring the behavior of individuals taking place in the UK 


During the transition period, companies must comply with both the GDPR and the UK DPA and stay up to date on ongoing negotiations between the UK and the EU regarding data protection matters. 

To find out how this impacts you and your organization, sign up for the webinar, Brexit Privacy Implications: What We Know About the UK’s Exit from the EU