Published: 28 June 2016
Area of Law: Data Protection
Impact of the Referendum on the General Data Protection Regulation
The General Data Protection Regulation (GDPR) was approved by the EU in April this year and is due to come into force in May 2018. The result of the Referendum means that the UK is likely to leave the EU shortly after the GDPR comes into force. We are now being asked by clients what they should be doing as a result and whether they can now ignore the impact of the GDPR in assessing their compliance with data protection law.
There are two compelling reasons why organisations should continue to assume that the GDPR will continue to be relevant.
The first is, regardless of what the UK decides to do relating to trade with the EU in the wake of the referendum, the GDPR itself has extra-territorial effect. It applies to organisations outside the EU who offer goods and services to individuals within the EU or who monitor the behaviour of individuals, insofar as that behaviour takes place within the EU. So any UK businesses that continue to do business with individuals within Europe will still need to comply with the GDPR.
The second is that it is likely that the UK will still want to access the European Economic Area and reap the benefits of free trade in a post-referendum world. If this is the decision and the UK is to continue trading freely with Europe and in particular, to allow companies in the UK to receive personal data from the EU, it will need (in the same way that the US was previously obliged under Safe Harbour) to provide a data protection regime that the EU considers “adequate”. As the UK’s Information Commissioner has recently stated:
“…if the UK wants to trade with the Single Market on equal terms we would have to prove 'adequacy' - in other words UK data protection standards would have to be equivalent to the EU's General Data Protection Regulation framework starting in 2018”
The Information Commisioner has stated that he will be speaking to the government to “present our view that reform of the UK law remains necessary”. So we expect to see a law very similar to the GDPR to be implemented within the UK.
Therefore, our current advice to clients is that they should continue to prepare for the changes implemented by the GDPR and ensure that they have appropriate policies and procedures in place ahead of May 2018.
For more of our thoughts around Brexit read here.