With the UK preparing to leave the EU, do UK businesses still need to get ready for the new General Data Protection Regulation (GDPR)?

The answer is an emphatic yes, for three reasons:

  • The GDPR applies from 25 May 2018, almost certainly before the UK leaves the EU.
  • The UK Information Commissioner indicated – on the day of the referendum result – that the UK may decide to retain the GDPR or adopt equivalent standards. That’s important because the UK will need an EU-approved data protection regime to continue receiving personal data from the EEA.
  • In any event, the GDPR will apply to UK businesses that offer goods or services to EEA residents or monitor their behaviour.

The GDPR brings in stricter obligations on how businesses deal with data, including in the context of corporate governance, data analytics, data crises and data-heavy transactions. And there are big fines for those in breach, even if the UK ends up outside the EEA.

So the short message is clear: UK businesses should continue to prepare for the GDPR.