The new EU General Data Protection Regulation (GDPR) is due to come into force on May 25, 2018, providing greater rights for individuals living in the EU with regard to their data and how it is handled by any organisation that holds or processes it.
Currently, the European Union consists of 28 countries and the law is very clear that any organisation that collects, controls, handles or processes data on those individuals is liable under this law, no matter where that organisation conducts business – whether the United States, India, the EU itself, or the UK whether inside or outside the European Union.
Clearly there is no change therefore for any organisation outside the United Kingdom. UK-based businesses please read on…
The simple answer is that it doesn’t change anything, for various reasons:
- The UK will still be a member of the EU on May 25, 2018 when the law comes into force (unless the UK manages a staged exit where, before that date, it declares it will not be governed by new regulations).
- Most UK-based organisations will have data on individuals living in the remaining 27 EU member states (including UK citizens living in the EU) and so will have to comply even after leaving the EU.
- UK data protection laws are contained in the Data Protection Act 1998 and this covers broadly similar ground, though the penalties are not as high (max £500,000).
The UK is likely to want to be considered a safe place for data on EU individuals and appear on the EU’s list of countries having “adequate” data protection laws and this can only be achieved if UK laws are amended to enact similar safeguards to GDPR.
The advice to UK organisations is to keep planning for GDPR because, even if the regulation itself doesn’t become UK law, something very similar will appear in its place.
Taking a step back, let’s remember that the GDPR is designed to help organisations achieve best practices for data protection and that it is actually a good set of rules to follow. It advocates privacy by design and good information management policies, procedures, and technologies to minimise possible data loss incidents.
The UK data privacy regulator, the Information Commissioner’s Office has answered a couple of questions:
How will data be regulated in the UK if it leaves the EU?
It will continue to be regulated by the current Data Protection Act, which was passed back in 1998. Although derived from an EU Directive, the Data Protection Act was passed by the UK Parliament and will remain in place after any exit, until Parliament decides to introduce a new law or amend it. The UK has a history of providing legal protection to consumers around their personal data. Our data protection laws precede EU legislation by more than a decade, and go beyond the current requirements set out by the EU, for instance with the power given to the ICO to issue fines.
So does Brexit mean businesses should stop worrying about data protection law?
Not at all. Having clear laws with safeguards in place is more important than ever given the growing digital economy, and is also central to the sharing of data that international trade relies on. The UK will continue to need clear and effective data protection laws, whether or not the country remains part of the EU.