We use cookies to make your experience of our website better. Some of these are set by third party Google Analytics to help us analyse website traffic. To comply with privacy regulations, we require your consent to set these cookies. If you continue to use the site without selecting an option we will assume you are happy for us to use cookies.

Should We Bother With The New Data Protection Regulation After Brexit?

Should We Bother With The New Data Protection Regulation After Brexit?

It’s a good question to ask, and one more question to add to the many that we will have after the EU Referendum result.

As blogged about previously, the UK’s existing data protection framework is due to be replaced by a new European General Data Protection Regulation. The Regulation has a number of onerous changes which businesses will have to get to grips with. We have two years to get ready for the new law which is due to come into force in the UK on 25 May 2018. But should UK businesses bother now given the UK’s impending exit?

Clearly negotiations with the European authorities could result in the UK agreeing to not implement the Regulation. However this seems extremely unlikely for a number of reasons:

  1. The implementation date of the Regulation is significant. Any formal process to leave the European Union under Article 50 is going to take at least 2 years – well past the implementation date of the Regulation. So, on the face of it, the UK would have to comply with the Regulation for a period of time unless agreed otherwise.
  2. The law will already be part of the way implemented. The clock is already ticking down and the regulator charged with enforcing the current law and the new law, the Information Commissioner’s Office is unlikely to seek to lobby to wind the clock back. The Regulation has taken 4 years to get to this stage!
  3. Businesses supplying goods and services to European citizens or where an organisation undertakes monitoring of European citizens (e.g. online tracking) are required to comply with the Regulation even if they are not based in the Union. Therefore, organisations based in the UK will need to still comply with the Regulation if they are trading with the EU.
  4. A key issue will be sharing personal data with Europe. The law prevents organisations from sharing data to countries outside of the European Economic Area (the Union Member States plus Norway, Iceland and Liechtenstein) unless adequate protection is in place. If the UK falls out of the European Economic Area, then steps will need to be taken to demonstrate “adequacy”. If the Regulation is not implemented in the UK, then it could be very difficult to meet the hurdle of adequacy which could be another roadblock to continuing trade with the EU. The UK government should be mindful not to inhibit our digital economy by not ensuring a level playing field of data protection law.

On this basis, we would be recommending that clients still continue reviewing their existing practices and procedures against the Regulation. Whilst there may very well be political uncertainty, the Regulation provides a “best practice” benchmark for handling personal information. Even if the politicians decide to not implement the Regulation, the UK will still have a data protection framework through the existing Data Protection Act 1998 which is very much embedded in our law - let alone our culture.

Ross McKenzie

Burness admin