Privacy security

UK: Brexit And Data Protection - Q&A

The UK decision to leave the EU will not affect existing data protection and privacy laws in the UK. These laws (the UK Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications Regulations 2003 (PECR)) protect people's personal data as well as ensuring that organisations have clear rules and a legal basis when collecting and using such data.

The DPA is the primary source of data protection legislation in the UK. It implements the Data Protection Directive (Directive 95/46/EC) and addresses such items as the definitions of personal data, sensitive personal data, the processing of data, notification and registration requirements, consent, rights of data subjects, collection of data, direct marketing, data transfers and sanctions for non-compliance. This will be the case until the DPA is amended or repealed by Parliament and all UK businesses should continue to comply with the DPA. Previous judgements of both the English and the European courts will continue to be binding in relation to the interpretation of the DPA, at least until the UK leaves the EU (at which point the status of EU jurisprudence will have to be considered).