The British public’s decision to leave the European Union – known as “Brexit” – on the 23rd June 2016 was a surprising turn of events for many.
After being a member state since 1973, 51.9% voted that we would be better off outside of the Union. The UK government invoked Article 50 on 29th March 2017, and the UK’s departure date from the Union is set for the same day in 2019.
The General Data Protection Regulation (GDPR) is a piece of EU legislation which was approved 2 months before the Brexit vote, on the 14th April 2016. The date of enforcement, as so many know by now, is the 25th May 2018. The passing of this legislation and the subsequent vote left many UK businesses and interested parties such as data controllers and processors asking – how will Brexit affect GDPR? Will the UK still have to adhere once it leaves the EU? Or are we free to make our own legislation (or not) on the matter?
The short answer is – no. The longer answer is a little more complicated.
When it applies
The GDPR applies strictly to businesses who process data about individuals who are citizens of other EU member states. So if you sell goods or services in Europe, or employ EU citizens, in short, you will need to ensure your data processing activities are compliant. This is irrespective of whether or not the UK is in the EU, and still applies after Brexit.
Where it’s less clear
Where the EU’s position becomes a little bit less clear is when your activities are limited to the UK. You may be sitting there thinking to yourself “well that’s great, I don’t sell to anyone in Europe, so I don’t need to worry.” This might not be entirely true. Firstly, what happens if a business you supply to has multiple locations, and you do need to process data from outside the UK? What about if in order to grow your business in the future, you need to look to other markets in EU member states? You may also need to deal with suppliers from within the EU, or other partners across the supply chain. Even processing one record incorrectly on your system could lead to a breach, and a hefty fine. Surely, it would be best to follow the guidelines and set yourself and your processes up to comply with GDPR, regardless of the UK’s status in the EU?
There’s another reason to stay vigilant here. The UK’s third generation of data protection law has entered Parliament. The Data Protection Bill was published on 14 September 2017 and aims to modernise data protection laws to ensure they are effective in the years to come. It seeks to establish a strong framework for data processing in the UK post-brexit and bring the country in line with EU member states.Some of the mechanisms and finer details may have to change based on results of negotiations, and the role of the Information Commissioner’s Office (ICO) will have to change. But the “spirit” of the legislation will remain the same, and the advice is clear – make sure you’re prepared for GDPR.
It’s also prudent to point out that as the UK Data Protection Bill makes its way through parliament, the original GDPR comes into effect on the 25th May this year, leaving us with almost a year in which we are still operating under EU law. To “wait and see what happens” and to carry on as you are is an incredibly risky strategy, and one which isn’t likely to pay off in the long-run.
How should you prepare?
As an IT asset disposal and data erasure specialist, we’ve written more on how GDPR will affect the disposal of end-of-life data-bearing hardware and the processing thereof here. If you would like some more advice on how to ensure you are compliant, get in touch.