1 Aug 2016
Data Protection and Brexit - more 'known unknowns' and yet 'same as you were'
What does BREXIT mean for data protection?
Reading time: 5-7 mins
So. BREXIT. What now?
The full impact of the recent decision by Britain to leave the EU is not yet known. It's not even known when we will or even might know when it's happening. It's all a bit Rumsfeldian but we're clearly in uncharted waters and it feels like a great deal of uncertainty is going to become the norm.
Speculation as to how BREXIT will impact on our personal, professional, individual, collective and business lives is far reaching, ranging as it does from property prices to the cost of services, from holidays to the EU and UK to the price of bread and milk and from the employment status of migrant workers to the transfer of professional football players. Perhaps a little more dryly but just as importantly, this list also includes data protection.
We've covered data-protection in several posts over the past year - to one extent or another it was already a shifting issue, not least with Safe Harbour being replaced by Privacy Shield and the new General Data Protection Regulation (GDPR) legislation agreed and adopted in April.
But we, in the UK, have just voted to BREXIT, so what are the possible or likely implications to the new GDPR legislation?
To remind ourselves, when the GDPR takes effect (in less than two years time, by May 2018) it will replace the current data protection directive. The Commission's primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
As it stands it will also automatically take affect - so the GDPR, as a Regulation, must be implemented into law in the UK, exactly as written and it will be in place by 25 May 2018.
The latest, most (semi-)official line on our 'amicable divorce' from the EU, is that we have two years to agree a new relationship upon activation of Article 50 of the Lisbon Treaty. This we were told by (our outgoing aka lame duck) PM David Cameron will not happen until after the Conservative Party conference in October of this year. Just to keep us all on our toes, new PM Theresa May has said that this won't happen at all in 2016. Which would give us a leaving date of January 2019 at the very earliest - several months past the deadline for GDPR being implemented into UK law.
So the first likelihood is that the GDPR will be in place, in UK legislation before we leave the EU.
Secondly we are unlikely to tamper with it.
Even if we (as many Brexiter politicians have said we will) begin to clear out unnecessary EU legislation from our statute books, if we want to trade with the EU post-divorce, it is very doubtful that that the legislation already in place (i.e. the GDPR) will alter in any significant way. Just as the US has developed the Safe Harbour agreement, and now Privacy Shield, to bring US businesses in line with EU business practices and legislation to facilitate trade today - the UK will likely need to show the same level of compliance as a minimum.
Post-divorce, we have to assume that we (the UK) will still want to trade with the EU. So we'll next need to agree to certain EU trade regulations, one of which will involve the transfer, privacy and data protection of the personal data held on EU citizens and in order to process or store personal information on any EU citizen, we (the UK) must have in place our own robust data protection rules compatible with the GDPR.
Whilst not perfect, the UK has a strong history in data protection and the rights of the individual, so it's unlikely we will be conflicted by the primary objectives of the new GDPR.
The UK therefore, even outside the EU, will still likely have to follow the detail of the GDPR.
What should you do?
However, the over-riding view is that it will be business as usual and businesses and organisations need to continue to plan for the introduction of the GDPR now.
The ICO at least has just confirmed this view with a short post referendum result response.
From our blog: