Three points you need to know
- Brexit does not have any immediate effect on UK data protection law. All the usual duties and compliance risks continue to apply.
- The future UK position is likely to be based on the EU General Data Protection Regulation (GDPR). This is a substantial overhaul and organisations need to start preparing now for implementation (due in less than two years). Similarly, international developments such as the announcement of the EU/US Privacy Shield for data transfers to the US are not affected.
- The uncertainty is as to the precise "shape" of the UK's future relationship with the EU (see below).
Current data protection compliance
UK data protection law continues to apply despite the result of the referendum. This includes primary and secondary legislation and related laws such as the Human Rights Act. There is no impact on the Information Commissioner's Office, which can continue to impose fines of up to £500,000 per breach.
Do I have to comply with GDPR in the future?
Likely, yes. This is because there will be a strong incentive for the UK (or perhaps a legal obligation) to implement GDPR compliance requirements in any event. The precise "shape" of the UK/EU relationship is not decided but could include any of the following:
- the EEA option: under which the UK joins the EEA and is legally obliged to implement GDPR;
- the Swiss option: under which the UK would likely have to implement GDPR-type obligations to secure a trade deal;
- the WTO option: under which the UK may also have to implement GDPR-type obligations to secure a trade deal.
And don't forget, based on current timelines, even with a speedy Brexit negotiation, the UK will be subject to the GDPR for a minimum period in any event starting 25 May 2018.
Under the WTO option, the UK could try to negotiate its own form of Privacy Shield to secure adequacy status (i.e. to allow it to receive personal data from EU or other jurisdictions). But it would be in the UK's commercial interests to ensure that it gets adequacy status as part of the exit negotiations, which, again, will likely lead to duties to implement GDPR.
What should organisations do now?
Here is a checklist:
- Continue to comply with all current UK data protection law;
- Don't make any hasty decisions about reconfiguring corporate structure or moving data centres. We don't yet have the detail on the UK's future relationship with the EU to assess whether further steps are required.
- Plan for GDPR implementation (many of the GDPR requirements take a long time to plan for and may also involve IT system upgrades with a significant lead time).
- Many businesses are considering using GDPR-readiness exercises as a "stepping stone" towards a full Binding Corporate Rules application. The GDPR will formally recognise Binding Corporate Rules arrangements as a legal basis for global transfers of data within groups of companies. They examine in detail a business's data governance and controls and, because they expand and contract with that business, they are regarded as the "platinum standard" for European international transfer solutions.
- If you're a vendor/data processor, consider a BCRs for Processors application following any GDPR readiness exercise (and/or other measures such as "Privacy Shield" status or the adoption of local privacy seals).
- Track the political developments, although we are unlikely to get much clarity on this for at least a few months.
Law stated as at 16 July 2016