Britain has voted to leave the EU, and at this stage it seems that Parliament is going to honour the results and take us out of the EU. So what does this mean for data protection?
I don’t think there has ever been such uncertainty, confusion, difficulty and high risk over data compliance. So I thought this might help clarify what Brexit is likely to mean in relation to the UK’s data protection legislation.
- If Article 50 is invoked in or after October 2016 (as suggested by David Cameron this morning) it will take at least two years and four months for the UK to leave the EU. And, given the complexities of the exit negotiations involved, it may well take longer than that.
- EU law will continue to apply until the moment the UK actually leaves the EU, which means that, for a minimum of 5 months, UK organisations – even those which do not process data in Europe – will be required to comply with GDPR.
- If Britain leaves the EU and remains a part of the EEA (like countries such as Switzerland, Norway, Iceland and Lichtenstein), it will be required to comply with GDPR.
- If Britain does not want to be part of the EEA, once it has left the EU it will NOT be required to comply with GDPR.
- However, if the UK wants to trade equally with the EU (to quote the Information Commissioner’s Office) “UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.” To achieve this end, the ICO has already stated its intention to speak to the UK government to explain that reform of the UK law remains necessary “Having clear laws with safeguards in place is more important than ever given the growing digital economy”
Although it’s too early to know exactly what will happen to UK Data Protection law, what is quite clear is that all UK businesses need to continue making preparations for GDPR compliance. An excellent starting place is to ensure that you understand and comply with current legislation right now. I’d suggest the following process:
If you have any questions about data protection governance, compliance or security and would like a no-strings chat, please don’t hesitate to call on 0203 815 8003 or email firstname.lastname@example.org.