The Information Commissioner’s Office (ICO) has confirmed that the Data Protection Act 2018 (which currently supplements and tailors the General Data Protection Regulation (GDPR) within the UK) will remain good law post Brexit, and in general terms everything will continue as it is currently until the end of December 2020 when the transition period ends.
The ICO has always stressed the importance of having as much consistency in data protection laws on an international basis as possible because so many businesses operate across borders. What happens at the end of the transition period will depend on negotiations during that period, however, the default position is the same as for a non-deal Brexit; that is the GDPR will be brought into UK law as the ‘UK GDPR’ and further developments made to deal with particular issues such as UK-EU transfers.
Some commentators have posited the suggestion that the UK could use Brexit as an opportunity to amend the 2018 Act and relax the rules for UK businesses in order to give them a competitive advantage over their European counterparts by enabling them to operate with less ‘red tape’. This is unlikely because even if the UK has not negotiated a route into the EEA for example (and if it is in the EEA the GDPR will need to be adopted), UK businesses that trade with EU businesses will ultimately need to comply with the GDPR.