The EU General Data Protection Regulation will give new requirements on how your business data is processed, who is responsible, and what happens if it is lost, including harsh penalties for organizations not complying.
The recent Brexit vote has created legal uncertainty around the implementation of current and upcoming EU law in the UK. Although the position of Brussels is clear - that as long as the UK is an EU member it is expected to fully comply with EU law and its membership obligations - it is inevitable that investors, regulators, politicians and compliance officers will ask whether the UK can “cherry-pick” what it wants to apply as it walks towards the exit.
The future of the GDPR in the UK
Much depends on the nature of the new relationship, the concessions of each side, and the negotiation timeline once Article 50 is officially triggered. For those active in the technology space, a key question on the impact of Brexit is whether the General Data Protection Regulation (GDPR) will apply to the UK or not, and what will be the role of the Information Commissioner (ICO), the independent privacy regulator in the UK that would be expected to enforce GDPR.
A quick look at the timelines suggests that the GDPR, which will enter into force on 25 May 2018, will apply in the UK, since it is a regulation directly applicable in every EU member state. Even if Article 50 was triggered on 31st March 2017 (which seems more likely given recent UK government statements), the two-year deadline it foresees expires on 31st March 2019. Therefore, the GDPR would apply in the UK and would create legal obligations during the time the UK is a full member.
Based on existing timelines and the high degree of certainty that there will be lengthy negotiations between the UK and EU, it is safe to assume that unless there is a common decision to the contrary, the GDPR will become fully applicable in the UK.
Continuing relationships
Not all EU-UK relationships are likely to be severed after Brexit. In fact, the UK position suggests that the political objective for the UK will be to maintain some level of access in the single market.
Even countries like Switzerland, which Brexit supporters point to as an example of successful external relationship with the EU, has qualified for essential equivalence status when it comes to data protection, which is then essentially covered by EU law. It will be difficult to see how the UK, a major information technology hub in Europe, can secure access to the Digital Single Market without avoiding regulatory requirement on the treatment of personal data.
The implications for UK companies in Europe
One also needs to remember that the GDPR applies to all companies that target the European territory with their products or services. Due to the export focus of the UK digital economy, many UK-based companies and their suppliers will need to apply the GDPR in their internal processes irrespectively of the “law of the land” because it will be a legal requirement for doing business in continental Europe. Consequently, some of the stringent GDPR requirements such as security, breach notification, cross-border data transfer, right of access and right of deletion will apply in the UK “through the back door” by virtue of companies’ internal policies and contractual requirements.
Whereas questions around the impact of the GDPR and Brexit are understandable, it seems that the GDPR will apply in some form in the UK. In fact, there is even an incentive for the rest of the Member States to insist on GDPR applicability since the alternative – UK access to the Digital Single Market without rules for data - would create a unique competitive advantage for the UK.
Likely consequences of Brexit
Nevertheless, Brexit does pose issues for the UK digital economy. For example, the impact of Brexit on the EU Fundamental Human Rights Charter raises concerns about the role of UK security agencies in accessing EU citizens’ personal data, even if UK legislation is essentially equivalent to the GDPR. This may result in agreements similar to the EU-US Privacy Shield in the UK for cross-border data transfers.
Another question will be around the participation in the European Data Protection Board of the Information Commissioner’s Office (ICO), seen as a progressive and effective regulator whose feedback the regulatory community would miss.
Brexit does trigger regulatory uncertainty in many policy areas but less in data protection. Companies operating in multiple jurisdictions in Europe, including the UK, should continue to prepare for GDPR compliance while closely monitoring the progress of the Brexit negotiations as they will finally determine the exact compliance requirements for the UK.