GDPR after Brexit – what’s next for SMEs?

Published on 14/08/2020 by Sonia Navarrete

After the UK government’s withdrawal bill was passed following a great deal of difficulty in parliament, the future of Brexit was set.

This placed a deadline on the UK’s departure from the European Union on New Year’s Eve, 2020. Although – in theory – this deadline could be extended to ensure a future trading agreement between the EU and the UK is reached, the government has said it will not do so under any circumstances. 

GDPR after Brexit

GDPR after Brexit

For SMEs, this means that how they will trade with suppliers and customers in EU states is likely to change.

In the field of data compliance, there are currency tools available to help businesses, like compliance software or even specific GDPR compliance software –  however, there are likely to be some changes, too. 

This is because SMEs have had to comply with GDPR (General Data Protection Regulations) which first came into force in May 2018. 

The UK had its own data management laws before GDPR. However, their introduction meant that every UK organisation handling customer records needed to take much more care over data protection. For example, which information was kept, how long it was held for and how it should be destroyed. 

Many SME owners and digital directors will know a great deal about GDPR already since it often meant a big change in data management when it first came in. Anything from cookie policies to the digital destruction of confidential customer records fell under its auspices.

So, what will happen to GDPR after Brexit? Will it no longer apply to UK-based businesses or will it still have an impact? If so, will it matter to businesses only operating in the UK with no European trade or will only larger organisations need to pay attention to it?

 Read on to find out more about GDPR after Brexit and what you can do to plan for it before the new regime starts in January 2021.

Why was GDPR introduced?

Before progressing to GDPR after Brexit, it is worth noting exactly why GDPR came in and what it is for.  Some SMEs saw it as nothing more than a lot of additional administration that they could do without. However, the idea was to protect everybody, from individuals to small enterprises.

Any data collected on you became accessible to you. Only files that were reasonable to keep could be stored and everyone in the EU gained the right to be ‘forgotten’; in other words, to have their digital records destroyed. 

By forcing organisations to keep their data more securely, it also meant hackers found it much more difficult to get hold of customer files – something that has undoubtedly led to SMEs taking more care with cybersecurity measures. In turn, this has helped them to maintain a better reputation for corporate governance than they otherwise would have.

What does GDPR cover?

Currently, GDPR covers all organisations in the ways they handle online storage, their websites and their business apps in compliance within a single legal framework. 

Compliance with GDPR after Brexit may, therefore, continue to be a case of best practice. UK-based businesses are still going to need to manage all of the data they keep on the public, customers and suppliers. 

At present UK companies currently bound by GDPR are also under the regulations enforced by UK law, specifically the Data Protection Act of 2018

 Indeed, this law already includes the ability to interpret its regulations in accordance with those of GDPR.

As such, GDPR after Brexit is likely to apply even when the UK is no longer subject to any EU directives. Of course, the UK parliament may well repeal the Data Protection Act and replace it. That is a question for the government, however. 

For now, the initial interpretation of the law will be similar to the regulatory framework that businesses currently operate in.

How should businesses act now?

SMEs that are confident they are compliant with GDPR rules need to look to future changes by the UK legislature. This will mean differences between the UK and the EU start to occur. 

In the immediate future, however, there are no known government plans to alter the law. Of course, any breaches of GDPR rules will be subject to UK law in UK courts.

 Those businesses who sell services to EU citizens in Paris, Turin or Cologne will still need to be GDPR-compliant anyway. The EU treats businesses accessing their markets from places outside in just the same way.

Those SMEs which need to know more about how they will comply with GDPR after Brexit as the UK departs the EU can get help with the right compliance software and GDPR compliance software

Such software tracks policies and procedures to ensure they are compliant with the regulations.  

There are plenty of software packages and apps to choose from that are suited to SMEs. Effectively, they automate many of the processes needed under GDPR to help SMEs get on with their main business functions.

Looking for Compliance Software? Check our catalogue


This article may refer to products, programs or services that are not available in your country, or that may be restricted under the laws or regulations of your country. We suggest that you consult the software provider directly for information regarding product availability and compliance with local laws.

About the author

Senior Content Analyst at Capterra, helping SMEs choose the best software. Published in Raconteur, Computer Weekly and IT Pro. Journalist and PR. Nature, bike and dog lover.

Senior Content Analyst at Capterra, helping SMEs choose the best software. Published in Raconteur, Computer Weekly and IT Pro. Journalist and PR. Nature, bike and dog lover.


Get the latest software and technology news from the UK

Thank you for signing up!

You will receive a welcome email shortly.

We couldn't subscribe you.

An error occurred, please try again later.

Follow Us