Data Protection And Data Privacy In A Post BREXIT Context

Posted by Chris Scott

Following on from the result of the EU referendum and the decision made to leave the EU a number of questions have arisen regarding the impact of this on Data Protection and Data Privacy. In light of the recent announcements of the EU General Data Protection Regulation (GDPR) and the decision in July by the EU commission to adopt the Data Privacy Shield, that was a reaction to the annulment of the previous Safe Harbor arrangement.

With the current situation and no real clear roadmap for the process of exiting the EU it is difficult, without making assumptions, as to what this will mean for the UK. A timetable cannot be created until after Article 50 is invoked and currently the date for that seems to be a moving target. This will not happen in 2016 that has been a pretty clear message coming out of number 10 Downing Street since the appointment of the new PM. However more recent “noises” have suggested this might take even longer than first anticipated.

So what does this mean for UK businesses in context to both GDPR and the Data Privacy Shield?

Starting with GDPR. This means that we have 2 years post invocation of Article 50 during which time we will still be subject to EU law. Therefore by May 2018 we will need to comply with these regulations. So nothing changes. The risk is that the opportunity that GDPR presents may be ignored by some as the focus upon it as EU legislation may become clouded by the exit process.

As mentioned, without supposition or assumption it is impossible to provide clarity on the longer term however I feel it would be unwise at best and foolhardy at the other extreme to assume anything other than BREXIT or not UK businesses will need to comply with the GDPR.

With the EU as our biggest single market and many EU citizen’s customers of UK businesses and residents within the UK, in order to maintain those relationship’s we will have to mirror the GDPR within UK law.

One conclusion that could easily be drawn is that as part of those negotiations post the invocation of Article 50 is that the UK would embrace the terms of GDPR and prevent introducing any potential barriers that not doing so would introduce. As a technology hub and with the support and backing from central government especially in the financial technology (Fintech) space this would be a quick win and move on to more complicated jurisdictional and legislative matters.

All that aside GDPR is just plain old good business practice in any case. In the always on, always connected world in which we live the introduction of the principles of GDPR, enforced in law, is the way we have to move to protect the data that is most precious to our businesses and our customers alike.

The Data Privacy Shield is a slightly more complicated debate although I tend to lean towards the notion that this will not be impacted either. The EU have accepted and adopted this, why would the UK want to buck the trend? The only scenario that I can imagine that would have any influence over this is when negotiating the trading arrangements outside of the EU, in particularly with the US, would we want to take a backwards step from the Data Privacy Shield to entice more favourable terms from the US? If this in anyway would be likely to jeopardise the position with the EU and in any way undermine GDPR I think this would be unlikely.

So all bets are still on. We will have to work towards the requirements of GDPR as we will be subject to that for a given period of time, at least a year possibly more, dependent upon when Article 50 is invoked. In all reality it is here to stay and that is a good thing so embrace the change this will deliver to information security which is a positive move in the right direction for citizens, customers and UK businesses.