Brexit will not stop the General Data Protection Regulation ("GDPR") becoming the new reality for the UK in 2018. As confirmed by the Information Commissioner’s Office last week, to trade with the European Union (trade inevitably involving cross-border personal data use, sharing, transfers and so on), we will want to be considered a country with 'adequate' levels of data protection. How do we attain this? By having equivalent data protection laws. In which case, we will still need to comply with GDPR standards.
- If personal data is transferred to a non-European Economic Area (EEA) country, other than for ad hoc data transfers which fall within the 'permitted transfers' list, a mechanism such as Binding Corporate Rules or Model Contracts will need to be used.
For example, a company has shared HR services/systems. Servers are in the Netherlands but accessible from the UK. This will involve a personal data transfer to the UK. Model Contracts would need to be put in place (assuming they are still around by 2018 given Max Schrems is now also challenging Model Contracts before the Irish data protection regulator). Intra-group Model Contracts will involve commitments by the UK recipient to data protection compliance principles equivalent to those in Europe. From May 2018 that means complying with GDPR standards.
- You will still be caught by the GDPR if you are not a member of the EU, even if you're not receiving personal data from an EU country but you are targeting goods/services at a EU market or profiling personal data of data subjects in the EU. For example, a UK online retailer which sells to continental European consumers will still need to apply GDPR standards to use of personal data of European-based data subjects.
- If you use service providers in any EU country, GDPR standards could also still apply. For example, if you use an IT service provider in Germany, you might not have an 'establishment' in the European Union, but could still be processing on equipment there by virtue of your German provider. By processing on equipment based in Germany, you could then still be caught by the GDPR (given this will apply in Germany from May 2018).
The chances are that many UK organisations will need to be GDPR-compliant regardless. Do not let post-Brexit uncertainty eat away at your GDPR compliance schedule.