SaaS Agreements – Data Protection – Brexit and the GDPR

SaaS suppliers and customers must currently comply with the terms of the Data Protection Act 1998 (DPA) which governs data protection law in the UK. SaaS suppliers and SaaS customers should be aware that from the 25th of May 2018, the General Data Protection Regulation (GDPR) will apply directly in all Member States of the European Union (EU). Currently the UK is a Member State of the EU and even if the UK gives the European Council notice of its intention to leave the EU, it has 2 years in which to negotiate the terms of a “Brexit”. It is therefore likely that the UK will still be part of the EU on the 25th of May 2018.

Will the GDPR apply to the UK

Whether or not the GDPR will apply to the UK following a Brexit, will depend upon the agreement reached between the UK and the EU on the terms under which the UK will leave the EU and the timing of the Brexit. Namely:

  • if the Brexit is after the 25th of May 2018, the GDPR will have direct effect in the UK;
  • if the Brexit is before the 25th of May 2018 the applicable data protection regime will depend upon the terms of the Brexit agreed with the EU.

The Brexit deal could require the UK to adopt EU laws in order to be part of the single market, similar to the rules applicable to members of the EEA who are not EU Member States, or the Brexit deal may not require the adoption of EU laws in the UK, but the UK may be required to amend UK laws to comply with EU legislation, similar to the rules.

GDPR will apply even if the UK leaves the EU

Regardless of when the UK leaves the EU, the GDPR rules will still apply to all UK SaaS suppliers and customers after a Brexit, as the GDPR applies to non-EU SaaS suppliers and customers who offer goods or services in the EU, or who monitor the behaviour of EU data subjects.

UK SaaS suppliers and customers will then:

  • be subject to fines of up to 4% of annual global turnover (or 20 million euros) for breaches of the GDPR;
  • need to appoint a data protection officer;
  • need to implement requests to be forgotten;

amongst the other obligations of the GDPR.


The current position with regard to a Brexit is unclear and subject to change, however SaaS suppliers and customers need to be aware that current UK data protection rules will change on the 25th of May 2018 or following a Brexit, whenever this occurs. SaaS suppliers and customers, particularly those doing business in the EU, should review their current data protection policies and procedures to check that they will comply with the rules of the GDPR, if this should become necessary in due course.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles:

Bodle Law