Simply put, it would appear the UK will be subject to EU rules, but have no way to influence them after leaving the Union.
Will we have influence when our country leaves the Union? The European Commission's chief negotiator on Brexit, Michel Barnier, does not think so.
ICO leader Elizabeth Denham told MPs earlier this month that a bespoke data agreement - which would give the UK's data protection agency a continued role in Europe after the UK leaves the Union - would be far superior to a so-called adequacy agreement.
The Commissioner stated;
"At this time when the GDPR is in its infancy, participating in shaping and interpreting the law I think is really important. And the group of regulators that sit around the table at the EU are the most influential blocs of regulators - and if we're outside of that group and we're an observer we're not going to have the kind of effect that we need to have with big tech companies. Because that's all going to be decided by that group of regulators."
Those who voted to remain have long argued that the UK will have no say on the standards and regulations implemented in the technology industry, such as for artificial intelligence, which companies will still have to follow if they hope to trade with the Continent:
Elizabeth Denham added;
"The European Data Protection Board will set the weather when it comes to standards for artificial intelligence, for technologies, for regulating big tech. So we will be a less influential regulator, we will continue to regulate the law and protect UK citizens as we do now, but we won't be at the leading edge of interpreting the GDPR - and we won't be bringing British values to that table if we're not at the table."
However, the EU's chief Brexit negotiator, Michel Barnier, quashed any hopes of the UK having any influence and suggested that an adequacy decision - which is granted if a non-EU state's laws are in compliance with EU regulations - would be the only thing available stating;
“As indicated in the European Council guidelines, the UK must understand that the only possibility for the EU to protect personal data is through an adequacy decision. It is one thing to be inside the Union, and another to be outside”.
Adequacy decisions enable trade and data flows, but do not allow countries to be involved in shaping regulations or laws in Europe.
With the ICO excluded from any sort of GDPR rulemaking - through which European data protection agencies can work together to coordinate regulatory actions - UK businesses will need to use an alternative agency to act as their lead regulator post-Brexit.
Meanwhile, organisations with data flows outside of the European Economic Area must ensure adequate safeguards are in place and appropriate contracts are entered into.
For assistance with Data Processing Contracts do not hesitate to contact Sarah Farish at firstname.lastname@example.org or on 0191 232 0283.