The short answer to the question “How does Brexit affect the GDPR?” is: it doesn’t. The GDPR is addressed first and foremost to the citizens of the European Union, so whether the UK is in the EU or not has little to do with it.
On February 1st 2017, the Government of the UK confirmed full implementation of the EU GDPR. The Minister of State for Digital & Culture Matt Hancock declared: “We will be bringing legislation forward in the next Parliamentary session to put that into practice.” Also, he said implementing the GDPR would strengthen free data flows with the EU after Brexit. No other details were given on the arrangements the UK might put into place. Hancock also commented on the UK-US exchange of personal data, stating: “Making sure the business between the UK and the US can take place post-Brexit is an important consideration for the Government.”
He also added, “Data sharing in the response to increasingly mobile threats is a critical part of our defences and security arrangements and the importance of security agencies working together across borders to share information to protect the public will not be changed by Brexit.”
As a result, if you are a UK-based organization, you have to comply to the GDPR. If you use personal data from EU citizens it shouldn’t even matter to you what happens after Brexit, as the GDPR will be mandatory for you no matter what. Now, with the UK’s government statement, we can say for sure you will need to comply regardless of whose personal data you process.