Britain has voted to leave the European Union (Brexit), and the decision brings existing and upcoming European privacy laws into question. At a recent ICO and Iron Mountain event on GDPR, with representatives from the public sector, we discussed how Brexit would affect how Britain adopts the GDPR.
Depending on when we officially leave the Union, there are a few potential outcomes for what could happen with the new General Data Protection Regulation (GDPR), which comes into effect in the spring of 2018 and replaces the current Data Protection Act (DPA). No matter what happens with Brexit, the GDPR will impose increased compliance regulations (and increased fines for non-compliance) on all global organisations.
There are three ways the GDPR could go for UK companies based on when Brexit occurs. The timing revolves around the UK officially invoking Article 50 of the Lisbon Treaty. Until we formally do that, there is no change to the UK’s status within Europe. There has been much discussion about when this will happen. The expectation is that when it is invoked, it will take about two years to officially go through the formal exit process. Therefore, the three scenarios for the UK and GDPR are:
Brexit Doesn’t Happen: In the unlikely event that Brexit doesn’t happen, the UK will still be a part of the European Union and GDPR will be law for the United Kingdom.
Brexit Does Happen, and We have GDPR for a While: The timing of Brexit suggests that we will have a few months at least of GDPR as UK law. What the government decides to do after that point will be up to them to decide, but it’s likely that European regulations such as the GDPR will continue to be enforced.
Brexit Does Happen, and We Don’t have GDPR: If Brexit becomes a reality before GDPR comes into play, the UK won’t be obligated to take it on, as it’s a European Union piece of legislation. In this case, the UK could either choose to enact GDPR anyway, or we could choose to draft our own piece of UK-specific legislation.
In any of the above scenarios, companies will most likely want to follow the rules and guidelines related to GDPR. In today’s global data economy, European organisations won’t want to do business with partners or vendors that aren’t compliant with the new regulations.
It’s also important to keep in mind that the GDPR will expand what it means for companies trading with the EU, regardless of where they are headquartered. If companies are processing the personal data of EU citizens they will be subject to the rules of the GDPR. This is a stricter view than is currently in place.
Learn about how your organisation can stay compliant. Visit our Global Research and Policy Centre for expert insights.