What impact will Brexit have on the EU GDPR?
If the United Kingdom (UK) is no longer part of Europe – do we still need to consider the implications of the new European Data Protection Regulation?
Short answer: Yes!
Longer answer follows:-
The European General Data Protection Regulation (or GDPR for short), approved earlier this year, heralded the most significant reform of data protection laws in the European Union (EU) for over 20 years.
Pre-Brexit, it was clear the GDPR reforms would have a significant impact on every organisation operating or based in the UK which holds or handles personal data of any kind in any way. Post-Brexit the GDPR will have an impact but, as yet, we are not yet sure of the extent of that impact.
There are however some things we can be sure of:
- Every organisation has an ongoing requirement to comply with the existing UK Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications rules (the ones that deal with mass marketing and spam) whether in their current form or in any amended form.
- The new data protection rules under the GDPR will apply to the Member States of the EU from 25 May 2018.
- The UK will still be part of the EU as at 25 May 2018 and therefore the new rules will apply from that date to the UK automatically without need for the UK parliament to do anything.
- Whilst we are not sure what will happen after the UK leaves the EU, it is likely the UK will give continuing effect to the GDPR or adopt new data protection rules very much akin to the GDPR.
In her speech at the start of last week, the UK Minister with responsibility for overseeing data protection regulation, Baroness Neville-Rolfe DBE CMG, confirmed that the future of data protection in the UK is unclear ahead of the withdrawal negotiations but put forward some idea of what we can expect.
The Minister explained that if the UK remains in the Single Market the EU rules on data protection may apply in full to the UK. In any event those operating in the EU or handling the personal data of EU citizens should be aware that they will still be subject to the GDPR (due to its territorial reach) and should continue to plan for its implementation.
In the event the UK leaves the Single Market, the Minister commented that EU data protection rules may have to be replaced by new UK law. On a similar note the Information Commissioner said in his own recent response to Brexit that, “Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary.”
So, it looks like a full reform of data protection law is still on the cards. We know what the GDPR looks like; what can we expect from alternative UK laws?
In his recent statement the Information Commissioner said “international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens”. This is something we can all (mostly) agree on. Too many regulatory regimes spoil the business!
In terms of content, EU data protection laws (both pre- and post-GDPR) require that any country to which personal data collected in the EU is sent must first be assessed as providing an adequate level of protection for those data. This affects anyone sharing data – think cloud computing, cross-border workforces, server locations, online payment facilities, etc. With the facilitation of business in the EU in mind we can expect the UK Government to take account of the GDPR if required to craft new UK law to take its place.
A “watering down” of the GDPR is unlikely to wash with the European Commission and the UK will probably have to implement new data protection laws that are much improved upon in terms of the existing DPA (and potentially akin to the GDPR).
What do we do now?
Until we know more the course of action at present is to prepare for something broadly in keeping with the GDPR. The key tenets which underpin the GDPR are accountability and transparency. Its provisions endeavour to protect personal data and enhance information management. Data is key to every business – whether customer/client data, staff or marketing data, sensitive or mundane data – and it will only serve us well to protect and manage that data.
As this series of GDPR blogs progresses we hope to tackle some of the new rules and obligations and look at how these significant changes could impact on how you collect and deal with data in the future, always with Brexit in mind.
Contact our Specialist Compliance and Regulatory Lawyers
MacRoberts’ team of data protection specialists can provide expertise and advice to businesses wishing to adopt this proactive approach to compliance preparation. We pride ourselves on our diverse, resourceful and highly skilled team of compliance and regulatory solicitors, who have substantial commercial and legal experience, delivering a pragmatic and commercial approach to our clients and their businesses.
If you require advice, assistance or representation in relation to the upcoming General Data Protection Regulation obligations or any other compliance and regulatory matters, contact our team today for expert advice tailored to your needs and/or sign up to our newsletter to keep up to date with the latest GDPR news and developments.