The Impact of Brexit on the GDPR: A South African Perspective

On 31 January 2020, the United Kingdom (UK) formally left the European Union (EU). The political, economic and social impact of this event are still to be determined, however, for those entities and individuals concerned with data protection and privacy, the exit of the UK from the EU could potentially open a flood gate of legal issues that will require appropriate and comprehensive consideration.

The prevailing data protection and privacy legal framework in place in the EU is the General Data Protection Regulation (GPDR). This Regulation has been considered by many to be a seminal legal instrument which has developed and put into practice many positive data protection and data privacy principles. This is not to say that the GDPR is beyond criticism, however a critique of the GDPR is beyond the scope of this article.

An important aspect of the GDPR is that it is not limited by geography or territoriality. The GDPR governs the processing of personal data of EU citizens regardless of where that data processing takes place where such processing involves the targeting (offering of goods or services) towards EU citizens, or the monitoring of the behaviour of EU citizens while in the EU.

Taking the above into consideration, it is clear that since the UK and its citizens are no longer part of the EU they no longer fall under the protection and purview of the GDPR.

This now begs the question, what about companies that have been doing business in the EU and the UK, or perhaps only the UK, what effect does the exit of the UK from the EU have on compliance with the GDPR? Which law will apply then? We unpack some of these questions below:

How does Brexit affect the GDPR? Does it still apply?

The UK has a withdrawal agreement with the EU which allows for a transition period until the end of 2020 during which the UK will need to determine and negotiate its relationship with the EU as it pertains, among other things, to data protection and privacy. During this transition period, the GDPR will continue to apply to the UK and existing GDPR requirements will need to be adhered to.

Once this transition period comes to an end, as it stands now, the GDPR, will in some form or another be incorporated into existing UK data protection and privacy laws with potential amendments arising as a consequence of the transition period negotiations.

Once the UK has fully withdrawn from the EU, the GDPR will no longer apply to the UK and internal UK data protection and privacy laws will apply.

The GDPR will continue to apply in the EU and as such will still apply to companies, regardless of location, that receive data from organisations or individuals in the EU.

Due to the fact that a transition period has been put in place, it is recommend that any consideration regarding the impact and effect of Brexit on compliance with the GDPR, be revisited at the end of 2020, being the end of the transition period, in case any further revisions are required due to developments arising from the transition negotiations and/or the UK's internal adoption of the GDPR terms and requirements.

My South African company wants to do business in the EU and the UK, will I need to add functionalities to my website in order to be compliant with GDPR?

Yes, there will be additional functionality that will be required. This includes, but may not be limited to:

Opt-In Consent System: All forms that invite users/website visitors to submit personal information must inform the user/website visitor of the purpose of the gathering of said information and must allow for positive action in consenting to the gathering and use of said information. I.e. acceptance check boxes must by default set to "NO" or left blank.

Granular Consent System: Users/website visitors should be able to provide separate consent for different types of processing.

Unsubscribing System: Users/website visitors must be easily allowed to unsubscribe and/or revoke their consent.

Cookie Consent System: Visitors to the website must be informed in plain language about the type and purpose of cookies and trackers running on the website and must consent to the use of said cookies before other than strictly necessary cookies are run. This is generally done by a pop-up acceptance form/banner on arrival at the website.

Please note that certain internal business and data processing practices may also have to be amended in order to comply with the requirements of the GDPR.


Disclaimer: the information contained in this Insight is for awareness and discussion purposes only and does not constitute legal advice. For any enquiries, please get in touch at