The choice of UK voters to pull the country out of the European Union complicates the compliance duties of companies that deal with data from the UK and the EU, but initially, businesses ought to continue to focus on the internal changes they need to be making to get ready for the new EU General Data Protection Regulation (GDPR).
Discussions with EU privacy commissioners in recent months (including the UK Information Commissioner) about the possibility of Brexit have made clear that it is highly likely that any updated UK-specific data protection legislation will closely mirror EU data laws. In short, continued efforts to comply with the recently firmed up privacy by design and other requirements are absolutely the Commissioners’ guidance.
There should be no distraction from efforts to prepare organisations for GDRP compliance. Its major new fines will still be a real business risk.
Businesses will need to keep an eye closely on not just the changes needed to deal with the GDPR, but also any exception or variation that may be introduced specifically for the UK.
For various reasons—not least that the new data laws will not now be changed EU-wide and that the UK remains part of the EU until any formal withdrawal (likely at the earliest 2019) and even after any exit the UK data legislation will almost certainly continue to mirror the Directive/Regulation to ensure "adequacy" status—we are being told loud and clear the recommended actions to comply (and reduce the major increased fine risks) should still be the focus of businesses.
Beyond the macro level, individual businesses are best advised to take steps now to review and action changes to internal processes, terms and policies to meet the new privacy by design requirements and get themselves into compliance.