The current situation:
Over the past few years, data protection compliance has gone from a subject largely paid only lip-service to by businesses, to an important area for compliance. Privacy has become a major reputational issue for companies, and increased powers and resources given to the Information Commissioner’s Office (ICO) mean that the risk of enforcement and fines has become real. The EU General Data Protection Regulation (GDPR), due to come in from May 2018, will bring further requirements on businesses and clients are already starting to think about measures they will need to be taking to ensure compliance.
What might change?
Many in business will be disappointed to note that a material easing of data protection requirements is unlikely, for a number of reasons.
Firstly, it is important to remember that the result of the referendum itself has no effect on existing laws in relation to data protection (and in any other area). It is only what happens next that might bring changes.
In relation to the new GDPR, because Brexit is at least a two year process, the two year transition period leading up to the implementation of the GDPR in May 2018 will run alongside negotiations for exit. If, as widely predicted, the exit process takes longer than two years, the obligations under the GDPR will become legally binding on UK companies, even if only in the short term’ if exit follows soon after its implementation.
What impact could this have on UK businesses?
Some will think that it’s worth taking the risk of waiting to see whether the UK is likely to implement national laws similar to the GDPR post Brexit. The problem with this approach is that even without specific UK legislation, companies may still have to comply with the provisions of the GDPR if they monitor the behaviour of, or offer goods and services to, anyone in the EU or EEA. It also seems unlikely that the UK Government would allow the UK’s standards in relation to privacy to fall a long way behind those of the rest of the EU, for reputational as well as legal reasons, so legislation to harmonise our national laws in line with the requirements of the GDPR may well be put in place. In addition, previous judgements from the European courts will continue to be binding in the UK even after our exit, unless parliament legislates otherwise (which must be unlikely) and the UK courts and the Information Commissioner will probably continue to be influenced by their future decisions.
Then there will be a question mark over the adequacy of the UK data protection regime once we are outside of the EU, and therefore the ability for the remaining EU countries to export personal data to the UK. We may end up being treated in the same way as the US, which is currently in lengthy and difficult negotiations with the EU to try to ensure that data can keep flowing between the US and the EU. There will also be complications over the “one-stop-shop” provisions in the GDPR, which relate to national supervisory authorities.
What you need to be thinking about now:
Even in the absence of legal compulsion, it is also worth remembering the level of reputational damage that privacy breaches have been causing UK companies recently, and the financial cost of the resulting loss of consumer confidence. Clients should not lessen their commitment to data protection compliance. The ICO recommends that businesses continue to prepare for GDPR, and for the moment at least, this seems like sensible advice.
If you have a query about any aspect of privacy or data protection, please contact Kathryn Rogers at Kathryn.firstname.lastname@example.org or call on 01892 506 147