The future of data protection policy in the UK
20 Sep 2016
Prior to the UK’s decision to leave the European Union (EU), organisations were gearing up for the General Data Protection Regulation (GDPR). The legislation will be enforced from May 2018 so organisations do not have long to become compliant.
DMA External Affair Manager, Zach Thornton, has noticed an increasing number of people at events questioning GDPR and whether Brexit means they will need to comply with it. Anecdotally, it seems to have dropped in importance among some in the industry.
This view is erroneous because the Brexit negotiations will take a long time to complete, and will not be concluded before May 2018. This means that UK organisations will need to comply with the GDPR for a period of time, perhaps 6-18 months but perhaps longer. Perhaps permanently.
Furthermore, UK organisations that process EU citizen’s personal data will need to be GDPR compliant. The regulation applies to any organisation processing EU citizens' data, whether that processing takes place within the EU or not.
No one knows exactly what will happen in a post-Brexit world. Leaving the EU means the UK will not be legally bound to keep the GDPR and it may decide to alter the legislation and deviate from Brussels. There are possibilities where there were not before.
The slogan used by the Government is that ‘Brexit means Brexit’ but this does not tell us much.
The UK could follow the example of Norway and join the European Economic Area (EEA) and this would mean the UK was still bound to follow the GDPR as it would have been before Brexit. However, there are many other options on the table.
There is the possibility for the UK to alter the rules for organisations marketing only to and processing only UK citizens' personal data. But, it's unclear whether this would have many advantages as UK businesses do not want to comply with two different sets of rules and people would question why the UK would have a different standard to companies in the EU.
What is clear is that data protection will form an important part of any deal that the UK strikes with the EU. There are cross-departmental meetings ongoing within government and the Department of Culture, Media and Sport (DCMS) will ensure that data protection is on the agenda of those Ministers responsible for negotiating the UK’s exit from the EU.
Data protection will form part our future trading relationship with the EU and to this end the EU will require the UK to have an ‘essentially equivalent’ data protection standard if the free flow of data is to be maintained.
Whether the UK has a piece legislation called GDPR or not, the end result is going to be very similar to the GDPR.
Organisations should continue with their plans to implement the GDPR irrespective of the decision in the EU referendum, as the UK will be moving towards a standard on a par with the GDPR. The referendum decision is not a reason to delay plans to understand and become compliant with the GPDR.
Organisations have a little over a year and a half (20 months) to become GDPR compliant, which given the scale of some of the changes, will be no easy task, but possible. It is imperative that Brexit does not mean that plans to implement the GDPR are left by the wayside.
We are monitoring how the industry is reacting and adapting to the to the GDPR and the implications of Brexit. Take the survey.
It will take less than 10 minutes to complete. In return you will be entered into a prize draw for the chance to win £100 in Amazon vouchers.
Where do you get the information that "the GDPR has dropped in importance for many organisations as a result of the Brexit vote"?
If that is happening then it shows that we are failing to advise companies effectively, because regardless of the flavour of Brexit that we choose, we'll still be part of the EU when the GDPR comes into force.
Emarsys UK Ltd
Head of Deliverability