By: Alexander Milner-Smith, Firm: Lewis Silkin
The UK implemented the GDPR in 2018. Experts do not believe Brexit is likely to make much difference to current data protection practice.
At some point in the future (near, distant or, of course, non-existent) the United Kingdom may be fully outside the EU post Brexit. From a GDPR application and enforcement perspective not much will change.
The UK has already implemented the GDPR in full via the Data Protection Act 2018 and it is very unlikely the UK government would amend this legislation (further, it will likely copy the material elements of the E-Privacy Regulation when (and if) it comes into force). It may also be that the Information Commissioner’s Office (‘ICO’, the UK’s data protection authority) and UK courts follow European Court of Justice and EU regulatory decisions on application of the rules.
As such data processing in the UK, both generally and in the workplace, will still look very much the same as in the EU regarding lawful bases, notices, proportionality, security, accountability and other elements.
The UK will have to consider all the extra-territorial implications of GDPR as other countries above have described, but as companies in the UK will already be complying with GDPR principles, this is not likely to make much difference to current practices. There will be also be reverse implications in terms of the extra-territorial application UK data protection rules. Again, this should not make too much difference for EU organisations but non-EU companies should consider this (at the same time as the extra-territorial implications of GDPR as other countries above have described).
The two big (albeit not insurmountable) areas for the UK being outside the EU are:
- Extra-EU (EEA) transfers. For more information on this much misunderstood topic see here.
- That the ICO will no longer be party to the EU regulatory (or even the EEA regulatory) mechanisms including the European Data Protection Board, access to the Leading Supervisory Authority system.