Implications of Brexit
The UK vote to leave the European Union has created uncertainty about how the GDPR will apply to the UK in the future. However, as the UK Government submitted a formal notice of an intention to leave the European Union (under Article 50 of the Lisbon Treaty) only at the end of March 2017, the conclusion of negotiations for that exit will almost certainly occur after the GDPR application date of 25 May 2018.
This means that GDPR will have some direct application to the UK for a period of time while the arrangements for leaving the European Union are finalised.
The ICO has also indicated that, in order to participate in the Single Market and data transfers from the European Economic Area, the UK will need to adopt data protection standards that are essentially equivalent to those in the GDPR in order to justify an adequacy decision; therefore, notwithstanding the Referendum result, we do expect some degree of reform to UK data protection law.
Further, UK-based organisations that offer goods or services to EU-resident individuals or monitor their behaviour, or whose personal data processing activities are related to such offering/ monitoring, will in any event be directly subject to the GDPR regardless of whether it is in force in the UK.