Uncertainty prevails in post referendum Britain. We have a new government, significant changes to government’s digital leadership, and a mandate to leave the EU. The launch of the UK government’s Digital Strategy is long overdue, and there is little clarity on where digital will feature on May’s “to do” list.
Nonetheless, life goes on. Following the formal adoption of the General Data Protection Regulation (GDPR) in May 2016, the UK had been slowly coming to terms with the need to become compliant with the new law by May 2018.
The GDPR is intended to harmonise the data protection law of the 28 Member States, and make the current regulation fit for the digital age. Although it is doubtful that anyone would disagree on the intent of the GDPR, the devil is in the detail, and it has not been universally welcomed.
Does Brexit let the UK off the GDPR hook? We are getting mixed messages, with the Information Commissioner’s Office (ICO) saying that the incoming law will not change, despite Brexit, whilst the Minister responsible for data protection, Baroness Neville-Rolfe, recently said that “for a period the future [for data protection regulation] would be uncertain” until Brexit negotiations got underway, and the UK understood whether it was aiming to leave, or stay within the EEA. This is a key area where industry needs early clarity in terms of the government’s intentions.
What is certain is that the UK will continue to do business with the EU, and that EU citizen data will continue to be stored or processed within the UK. The scope of the new law means that the GDPR applies to EU citizen data, irrespective of where that data is being processed. This means that the UK will either have to adopt the regulation, put in alternative regulation that is deemed “adequate” by the EU, or rely on EU model clauses or even a Privacy Shield type arrangement. Either way, it is highly unlikely that the UK will have exited the EU by the time the GDPR takes effect in May 2018.
This is why most companies are continuing with their GDPR plans, despite Brexit. Some companies may stall plans until there is clarity – or not even start the planning in the first place. These companies are taking a big risk, given the extent of the changes. One of the most significant changes will be the sanctions that can be enforced under GDPR. These will be much tougher than now – up to €20,000,000, or 4% of global turnover, whichever is the higher. The definition of personal and sensitive data under GDPR will become much wider, to include genetic and biometric information, as well as online identifiers. Data subjects will have significantly increased rights, and the conditions for international data transfers will become more stringent.
UK companies will need to ensure that their policies, processes, privacy notices and contracts are in compliance with the new regulation. The UK cannot afford to lag behind the rest of Europe in terms of its data protection regulation, not least because the UK must continue to trade with Europe, but also because robust and modern data protection regulation will help to grow wider investment in the UK’s digital economy. Companies should act now to comply with the impending regulations, whether or not the trigger on Article 50 is pulled this year.