Brexit – the impact on data protection
'...whilst the legal basis for data protection rules may change in the case of a Brexit, the ultimate effect on business will be largely the same and it would be prudent for any organisation doing business in Europe to abide by the GDPR.'
With the British public voting to leave the EU, where does this leave data protection in the UK?
Even with the Brexit vote, data in the UK will continue to be regulated by the current Data Protection Legislation. Although derived from an EU Directive, the Data Protection Act 1998 was passed by the UK Parliament and will remain in place after exit unless and until Parliament decides to repeal or amend it. The view of the Information Commissioner’s Office (ICO) is that the UK has a history of providing legal protection to consumers around their personal data. Our data protection laws precede EU legislation by more than a decade, and go beyond the current requirements set out by the EU, for instance with the power given to the ICO to issue fines.
But what of the new General Data Protection Directive (GDPR): does a Brexit mean that we can avoid the impact of further changes? The simple answer is no, except for those organisations that have no contact whatsoever with Europe. The reason for this is fourfold:
- The GDPR is due to come into force in May 2018. For the EU exit process, a Member State must give the European Council at least two years’ notice of its intention to leave and a withdrawal agreement will need to be negotiated with the Union, taking account of the framework for its future relationship with the Union. Given this two-year notice period, it is likely that the exit process and the implementation of GDPR may run in parallel. If the GDPR comes into force before the exit, the DPA may be repealed and the GDPR will have direct effect in the UK.
- If the UK exits the EU but chooses to remain part of the European Economic Area (EEA) (the ‘Norway Model’), this would mean that the EU/UK data flows will be subject to all applicable EU Data Protection rules, including the GDPR, as the EEA is effectively an area of ‘free movement of personal data.’
- The territorial scope of the GDPR extends beyond the EU. Any UK business which offers goods or services to individuals in the EU whether or not for payment, or monitors online behaviour of EU subjects, is caught by the regulation.
- If the UK exits the EU but does not choose to be part of the EEA, EU exporters will not be permitted to transfer personal data to a UK organisation unless adequate protection is place. The UK may seek confirmation from the European Commission that it provides ‘adequate protection’ or individual organisations may sign up to model contracts which promise adequate protection. But in order to be deemed ‘adequate’, the protection will need to reflect the general requirements of the GDPR.
It is fair to say that, whilst the legal basis for data protection rules may change in the case of a Brexit, the ultimate effect on business will be largely the same and it would be prudent for any organisation doing business in Europe to abide by the GDPR.
The GDPR introduces significant new requirements for maintaining data protection records, obligations for carrying out ‘privacy impact assessments’, enhanced rights for data subjects and a 40 fold increase in the potential penalties for getting it wrong (from £500,000 to 20 million EUROS)!
Get in touch
In anticipation of these changes, get in touch about our Data Protection Health Check Service to review your data processing activities generally, and compliance with the GDPR in particular, and identify any areas of particular concern and where improvements might be made. Either contact myself or firstname.lastname@example.org.
*We charge a small fixed fee for the service. However, this fee is refundable against any further instructions to advise on a programme for ongoing data protection compliance.
05 Jul 2016