SaaS Agreements – Data Protection – Brexit and the GDPR

SaaS suppliers and customers must currently comply with the terms of the Data Protection Act 2018 (DPA) which governs data protection law in the UK. SaaS suppliers and SaaS customers must also comply with the General Data Protection Regulation (GDPR) will applies directly in all Member States of the European Union (EU). Currently the UK is a Member State of the EU and even if a “Brexit” takes place and the UK leaves the EU, the GDPR will still apply in the UK.

Will the GDPR apply to the UK

Whether or not the GDPR will apply to the UK following a Brexit, will depend upon the agreement reached between the UK and the EU on the terms under which the UK will leave the EU and the timing of the Brexit. Namely:

  • the GDPR will continue to have direct effect in the UK;
  • the applicable data protection regime will depend upon the final terms of the Brexit deal agreed with the EU.

The Brexit deal could require the UK to adopt EU laws in order to be part of the single market, similar to the rules applicable to members of the EEA who are not EU Member States, or the Brexit deal may not require the adoption of EU laws in the UK, but the UK may be required to amend UK laws to comply with EU legislation, similar to the rules.

GDPR will apply even if the UK leaves the EU

Regardless of when the UK leaves the EU, the GDPR rules will still apply to all UK SaaS suppliers and customers after a Brexit, as the GDPR applies to non-EU SaaS suppliers and customers who offer goods or services in the EU, or who monitor the behaviour of EU data subjects.


The current position with regard to a Brexit is unclear and subject to change, however SaaS suppliers and customers need to be aware that current UK data protection rules will change following a Brexit, whenever this occurs. SaaS suppliers and customers, particularly those doing business in the EU, should review their current data protection policies, data aprocessing agreements, privacy policies and procedures to check that they will still comply with the the GDPR following a Brexit.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles: