Thoroughly knowledgeable,
very pragmatic and

Chambers Guide


Keep up to date with our latest insight pieces, news and industry developments. See below for the latest posts or use the categories to hone your search for stories of interest.

Rather listen? The WABChats Podcast provides engaging and informative conversations with contacts, clients, advisors and friends of White & Black Limited. Listen Now.

Brexit, Data Protection and the GDPR: The ICO speaks out

Britain’s data protection authority confirms British companies will need to comply with upcoming reforms

In the aftermath of Britain’s EU referendum, indicating that 52% of those voting wished to leave the European Union, there is considerable uncertainty about the long term effect of such an exit in a number of areas of law.  Article 50 of the Lisbon Treaty, which would trigger a maximum two-year timetable for negotiating an exit, has not yet been activated and there is no agreement at UK government level on the terms of exit that it will seek.

The UK Information Commissioner’s Office (ICO) has issued a statement to confirm that the Data Protection Act 1998, which implemented the 1995 Data Protection Directive (95/46/EC) in UK law, “remains the law of the land”.

The ICO spokesman also stated that if the UK was not part of the EU in future, upcoming reforms, i.e. the General Data Protection Regulation, would not directly apply, but that the UK’s data protection standards would have to be equivalent to the GDPR if the UK wanted to trade with the Single Market on equal terms.

WAB Comment

The UK’s data protection legislation is a result of EU legislation, but it is clear that, no matter what the long term outcome of the referendum, British companies will still be bound by equivalent requirements.

The GDPR will come into effect on 25 May 2018, which may well precede any actual exit under the Article 50 process.  Moreover, regardless of UK law, the GDPR applies to the processing of the personal data of all data subjects within the EU related to the offering of goods or services or monitoring their behaviour.

This extra-territoriality essentially means that organisations whose activities involve the personal data of any EU data subjects will be bound by the GDPR and could face significant fines for breach, whether or not those organisations have a physical presence in a current EU member state.

If you would like to discuss the implications for your business, please contact our Data Protection specialists Nick Mathys and Nicholas Mitchell.

Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.

This site uses cookies to improve your user experience. By using this site you agree to these cookies being set. To find out more see our cookies policy