Prior to notice being given under Article 50 of the Treaty on the European Union (the “exit” mechanism for departure of a Member State), and for up to two years thereafter, the result of the UK’s referendum of June 24, 2016 to leave the EU (“Brexit”) will have no direct impact on data protection law in the UK.
More importantly, it is likely that businesses in the UK will face a data protection and cyber security landscape heavily influenced by EU law for the foreseeable future. The EU General Data Protection Regulation (“GDPR”) entered into force on 24 May 2016 and takes full effect at the end of a two-year transitional period expiring on 25 May 2018. The GDPR will therefore, most likely become applicable to the UK prior to the UK ceasing to be a member of the EU.