GDPR and Brexit
In June 2016, the United Kingdom opted to withdraw from the European Union, ending a relationship with the trading bloc which had lasted in excess of 40 years. This desire to leave was subsequently confirmed by the Prime Minister, Theresa May, in March of the following year with the delivery of Article 50 to Donald Tusk.
This withdrawal will see the United Kingdom’s laws since the inception of the 1972 European Communities Act be affected through the ‘Great Repeal Bill’. It is clear that European Laws have had a substantial impact upon the British people in all aspects of their lives, from birth, through education and employment and well into retirement. Some EU laws will be scrapped and others incorporated into the UK through their own, individual acts.
As the world itself enters a new age, that of information and digital technologies, there are questions raised as how to deal with this rapid advancement in the fields of technology.
Under current law, the United Kingdom can rely upon the EU Data Protection Directive to protect their data centres and all of the valuable information which citizens have stored online. Under European law, Directives have to be put into a nation’s laws through their own acts, so the regulation on British data stems from the Data Protection Act of 1998 (nearly 20 years old). This Act covers the transfer of data out of data centres and the EU to nations who may not have the same levels of protection, how the data is processed among other provisions.
Obviously, this does raise the question as to whether the United Kingdom will choose to continue implementing this law once Brexit has been fully implemented. This topic is open to further discussion as the European Union will be updating their own data legislation within the two-year timespan for Brexit negotiations. This overhaul of EU Data regulations, known as the General Data Protection Regulation (GDPR) will come into force at the start of May 2018, some 10 months before the expected end of the United Kingdom’s EU membership.
Unlike directives, European regulations (such as the GDPR) don’t have to go through the standard process to become national law. Instead, they become active immediately, meaning that, in May 2018, the United Kingdom will have to follow these rules until at least the end of March 2019 (based on the expected negotiation timeline).
This is significant as the GDPR itself sets a very high standard for data protection and will have significant effects on UK law during this time. Firstly, the GDPR itself has a wider application, meaning that all companies in all EU nations are now responsible for any data which they process. Processing data can be anything as simple as entering information onto a website or social media account (see the case of Lindqvist).
In addition to this is the concept of penalties for companies who break the rules. These fines can be substantial (up to 4% of annual turnover or €20 million (whichever is higher)) and are tiered, so various offences can stack up.
Within larger, wealthier companies, early signs have shown a large focus on the topic of data governance as privacy assessments will become mandatory for data processing activities which are considered ‘high risk’ which will include banking, shopping and other ‘large-scale’ activities.
Also contained within this piece of legislation is the concept of “privacy by design”. In essence, any data processor must be able to demonstrate that the data they store is at least partially encrypted and their staff policies have privacy protection provisions. This extends out to thirdparty processors too, with regular assessments of staff, policies and features.
The GDPR also features rules regarding the standard to which companies have to follow concerning informing individuals as to how their data will be processed, including the contact details for the Data Protection Officer who is ultimately responsible for their data and subsequent transfers of this data outside of the EU (which can be tricky due to the amount sent to the United States). The individual also must consent to any different processing activity (although this might be easily bypassed like with the ‘cookie directive’) and can withdraw their data at any time.
In addition to this, the GDPR will consolidate one of the more controversial EU judgements of recent years, namely the ‘right to be forgotten’. This is the concept that anyone can have any information about them removed from the internet if it has been made public. This is expected to be where most of the aforementioned penalties come from, especially if there are data breaches which have occurred before.
In terms of business, most of those in the know believe that the GDPR will have monumental impact on their day to day operations, especially if they are keen to avoid the penalties. The amount of data which companies hold and process is at an unprecedented level and is growing at an astronomical rate. Many firms are now employing highly-qualified data governance individuals to ensure they are ready for when the GDPR takes full effect.
GDPR for a Post Brexit UK
But what about the UK? As mentioned earlier, the GDPR will be in force within the UK for at least 10 months, so firms will have spent time and money to allow these regulations to have a minimal impact on how they work. If a British firm has yet to be in the process of setting up these protocols, it is essential that they start now or, according to the ICO, they could have “significant budgetary, IT, personnel, governance and communications implications.”
And as to what happens once the withdrawal is complete? This is a question to which nobody has the answer to, be they Theresa May, Guy Verhofstadt, or David Davis. However, most people can make an educated guess, which will become clearer day by day as the British people approach March 2019.
One suggestion is that Brexit could lead to the GDPR and all of its aspects being stricken from British laws through the great repeal bill, never to be seen or head of again on these shores UK firms in this scenario would be faced with the prospect of transferring data to the US and the EU operating under drastically differing guidelines.
For US data transfers, it could be considered to be business as usual. The United States is rather lax when it comes to data protection and the viewpoint of data. In Europe, data is seen as something personal and private and not commercialised. In the United States, data is seen as a valuable asset, something which can be traded as a commodity (as seen with website like Facebook, where you literally pay for services with your data).
However, for transfers to and from the European continent, UK firms may face difficulties to keep up to the same standards, especially if something similar to the poorly enacted ‘privacy shield’ and ‘safe harbour principle’ are attempted.
Current UK laws work on the prospect of self-determination of adequacy when transferring data outside of the EU, meaning a company can choose if their data is protected enough to leave the EU. The UK is the only nation in the EU to have such a provision, so transfers from the EU could be tricky and would most likely rely upon contracts to navigate around.
The other view is that the United Kingdom sees the GDPR as relevant and crucial to UK business, incorporating the legislation through Parliament and making it law post-Brexit and mirroring the EU one. This is what most businesses are hoping for as the UK, regardless of how Brexit negotiations go, will be a strong trading partner with the EU and data will be transferred between the UK and Europe for many businesses.
Indeed, as many businesses will have already complied with the GDPR for nearly a year by this point, they will most likely still continue to do so regardless of what happens due to the ease and lack of disruption it would cause, instead of having two compliance standards.
In essence, the GDPR will drastically affect the United Kingdom and the first steps have already taken place with businesses preparing themselves for life with the GDPR. The aspect of Brexit may have long-term effects on what will eventually happen and our future relationship with our European neighbours. Whether we go for a hard Brexit, scrapping everything the EU has and taking a long stride towards the Americas and their ‘data as an asset’ view or whether we go softer and see the benefits the GDPR brings, not least to the free-trade agreements which the UK will be striving for.
Despite anyone’s view on this law, or any law of the EU, this piece of legislation will be a core component of UK Business for a minimum of 10 months and an unknown maximum. Therefore, it is essential to fully understand this topic as soon as possible.