Key takeaways

• The future of data protection law in the UK is uncertain following the recent referendum vote in favour of leaving the European Union.
• The manner and extent to which EU companies will be able to continue to transfer personal data to the UK (or to the US via the UK) will depend upon the view taken by the European Commission as to whether, post-Brexit, UK law offers protection to personal data that is essentially equivalent to protection in the EU.
• Many UK companies will need to comply with the EU’s new General Data Protection Regulation, coming into force in May 2018, even after Brexit.  If a UK company after Brexit does business in the EU by offering goods or services, the GDPR will apply to it, without the necessity of an EU establishment which is currently required for EU law to apply, even if the data of EU-located data subjects are processed only on a UK-based server.