Brexit doesn’t mean Charities can Forget about Data Protection
At the risk of setting off a collective groan, the new European general data protection laws (or GDPR for short), approved earlier this year, heralded the most significant reform to data protection laws in the European Union for over 15 years.
Pre-Brexit, I am on the record as saying the reforms will have a significant impact on the third sector and how organisations deal with their data requirements.
Post-Brexit my position has somewhat changed and is now what some may call a more lawyerly response. It is that the GDPR is likely to have an impact but as yet we are not yet sure as to the extent of that impact. This is a response pretty much in keeping with every answer to any question on Brexit at the moment.
There are however some things we can be sure of:
- The new data protection rules under the GDPR will apply to the member states of the EU from 25 May 2018.
- The UK is likely to still be part of the EU then and therefore the new rules will apply to the UK automatically without the need for the UK parliament to do anything.
- On the UK leaving the EU, likely to be sometime after 1 October 2018, the GDPR, like all EU Regulations will cease to apply on divorce.
- While we are not sure what will happen after the divorce, it is likely that the UK will need something very much akin to the GDPR or the UK parliament will enact new legislation to give continuing effect to the GDPR itself.
- The third sector has a continuing requirement to comply with the existing UK Data Protection Act 1998 (DPA) and the privacy and electronic communications rules (the ones that deal with mass marketing and spam) whether in their current form, or in any amended form.
The Information Commissioner in a statement on the 28 June said: “Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary. International consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens.”
If you are a third sector organisation that operates in the EU, you will still be caught by the GDPR due to the territorial extent of the new laws, so you should continue to plan for its implementation and your compliance with it.
But for the majority of the third sector that do not operate internationally, what should they do? To the extent that any UK government tries to water down the GDPR, this is unlikely to wash with the European Commission and the UK are likely going to have to implement new data protection laws that are much improved upon in terms of the existing DPA and, as I have said, akin to the GDPR. Uncertainty aside, it is highly likely that the safest option for the third sector generally is to prepare for something that is broadly in keeping with the GDPR.
The key tenets which underpin the GDPR are accountability and transparency. As organisations in the third sector aspire to uphold these principles in what have been unprecedented times where public trust has been unquestionably damaged in the minds of many, the adoption of better data protection practices, whether in the form of the GDPR or something similar, will provide the third sector with a means to provide for better accountability and transparency in data collection and how each organisation then uses those data in its campaigning, fundraising, governance and ultimately the delivery of its services or products.
Over the next year, in a series of blogs we hope to tackle some of the new rules and obligations and look at how the significant changes of the GDPR could impact on how you collect and deal with data in the future.
Contact MacRoberts LLP for advice on Data Protection
The MacRoberts’ team of data protection specialists can provide expertise and advice to charities wishing to adopt a proactive approach to compliance preparation.