Brexit – Implications for data protection

19 / 07 / 2016

Following the recent Leave vote, many businesses will no doubt be left bewildered as to the likely short-term and long-term effects that Brexit will have on UK data protection law, and what these effects will mean in practical terms. In particular, what does Brexit mean in relation to the European General Data Protection Regulation (GDPR), and what steps can organisations take to prepare and protect themselves?

The GDPR

The GDPR was published in the European Official Journal in May this year, starting a ‘sunrise period’ that will see its provisions take effect across the EU from 25th May 2018 (please see ‘Cyber security: Three quick wins for in-house counsel‘).Of course, the summer of 2018 is now likely to be the time that the UK exits the EU, and it might therefore be tempting to consider the GDPR as largely redundant for UK organisations. It seems, however, there are two reasons that suggest the UK will proceed to adopt a law equivalent to the GDPR:

If the UK is no longer a member of the EU, it would be designated a ‘third country’ and as such would have to demonstrate that it provides adequate protection for EU citizens’ personal data. It is by no means a foregone conclusion that the European Commission would make such an adequacy finding in respect of the UK. This could mean that organisations established in the EU Member States would have the same difficulties in transferring personal data to the UK as they are currently finding with transfers of such data to the US.

  1. The GDPR applies to organisations located outside the EU, but whose goods and services are aimed at EU citizens. Accordingly, any UK organisations selling goods or services to EU citizens will have to observe its provisions or risk penalties (up to 4% worldwide annual turnover / €20,000,000).
  2. It seems likely, therefore, that the UK will ensure the Data Protection Act 1998 (DPA) is brought into line with the GDPR, so as not to fall foul of the EU’s requirement for adequate protection of its citizens’ data. In addition, and irrespective of any changes to national provisions, UK services selling products and services to citizens of the EU will still be subject to the GDPR due to its extra-territorial reach. This was confirmed by the Information Commissioner’s Office (ICO) on the day of the referendum result, stating that “…UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018”.

Practical steps

The likelihood seems to be that the UK will need to adopt more stringent data protection laws, whether this be through an enhanced DPA or a close equivalent to the GDPR. Organisations should continue to follow the advice of the ICO in respect of how best to prepare for the GDPR, in particular by ensuring that they are compliant with the DPA. They should give some thought to how they will address the new obligations such as the right to be forgotten, data portability and appointment of data protection officer, subject to an element of “wait and see” vis-à-vis the final details of the new law.

While specific provisions are currently unknown, businesses can put themselves in the best possible position by organising any data currently held, and as the ICO advises in respect of the GDPR, “document what personal data you hold, where it came from and who you share it with”. With negotiations between the UK and the EU pending, the GDPR seems to be a strong indication, in one form or another, of what is to follow in terms of data protection.

For further information please contact James Castro-Edwards.