The Information Commissioner’s Office (ICO) released a statement on 19 April 2016 stating that the Data Protection Act 1998 (which is derived from an EU directive) will remain good law post Brexit, and in general terms everything will continue as it is currently for the next 18 months. However, one issue to bear in mind is that in May 2018 the General Data Protection Regulation (GDPR) is set to come into force in all member states of the EU with direct effect. The GDPR provides significantly more stringent rules than exist under the current law.
The UK will have a number of options but considering that the ICO has stressed the importance of having as much consistency in data protection laws on an international basis as possible because so many businesses operate across borders, it is likely that the GDPR will be adopted by the UK particularly if one takes into account that the UK is likely to still be a member of the EU by the time the GDPR comes into force.
Some commentators have posited the suggestion that the UK could use Brexit as an opportunity to amend the 1998 Act and relax the rules for UK businesses in order to give them a competitive advantage over their European counterparts by enabling them to operate with less ‘red tape’. This is unlikely because even if the UK has not negotiated a route into the EEA for example (and if it is in the EEA the GDPR will need to be adopted) UK businesses that trade with EU businesses will ultimately need to comply with the GDPR.