A new data protection law that will have a huge impact on businesses in the UK was approved by the European Parliament last month. As we count down to the UK’s EU referendum in June, however, it seems that many companies are reluctant to do anything about their new obligations yet, believing that if the Leave campaign is victorious, the new General Data Protection Regulation (GDPR) won’t apply.
This is a mistake.
The GDPR doesn’t care where data’s held – it cares whose data it is. So, whether we’re in or out of Europe, the GDPR is something we in the UK need to address. And we need to start that process now. This blog explains why.
GDPR and Brexit referendum
First proposed in January 2012 by the European Commission and formally approved by the European Parliament in April 2016, the GDPR will unify data protection across the 28 EU member states when it comes into effect in just two years’ time.
GDPR applicability if we remain in the EU
If we stay in Europe, the GDPR will automatically supersede the UK Data Protection Act 1998 (DPA) in May 2018. All UK companies will have to comply with the new Regulation, or potentially face fines of up to 4% of annual turnover or €20 million.
So, if we remain in the EU, you’ve got until 2018 to prepare for the GDPR.
GDPR applicability if we leave the EU
In the event of a Brexit vote, the UK will notify the European Council of its intention to withdraw from the union, in accordance with Article 50 of the Lisbon Treaty. This states that if the negotiation of a withdrawal agreement is not successful, the withdrawal will automatically happen two years after the UK notifies the European Council of its decision to leave – in other words, after the GDPR becomes law in May 2018.
So, if we leave the EU and an agreement on the withdrawal is not reached, you’ve still got until 2018 to prepare for the GDPR.
And if a withdrawal agreement is reached, the actual process of withdrawing from the union will still be time-consuming and involved, as Jean-Claude Piris of the Centre for European Reform explains:
After the repeal of the European Communities Act of 1972 [the statute that surrendered the UK’s right, in certain areas, to legislate in a way that conflicted with European law], the British government would have to hurry to draft new laws covering farming, fishing, competition policy, regional aid, environmental standards and much else, to avoid a regulatory vacuum. To the extent that the UK retained any access to the single market, the government would also need a mechanism for adopting new EU regulations and directives as they emerged. British citizens and companies in other member-states would lose rights derived from EU law.
Faced with such a legislative and regulatory mountain, the seemingly obvious default position for the harried bureaucrat would be to pass a single statute that accepts current European laws until their replacements have successfully passed through Parliament (no mean process itself). So, given the timescale involved, it’s perfectly possible that the UK will adopt the GDPR anyway as a short-term solution to the ‘vacuum’ that M. Piris mentions.
In the long term, the economic argument for the UK adopting the GDPR if we leave – or, indeed, implementing even more stringent measures that would satisfy the Regulation’s data protection requirements – is strong: according to the Office for National Statistics, e-commerce accounted for 20% of UK business turnover in 2014. And, as think tank Chatham House pointed out in March, “data sharing has an impact on all business with the EU (both online and offline), valued at 45 per cent of UK exports and 53 per cent of UK imports.” In still-straitened economic times, that value is obviously something the Exchequer will be keen preserve.
If that weren’t enough of an argument for your business to prepare for the GDPR, add to this speculation the hard fact that all UK companies that do business in Europe will need to comply with the Regulation – irrespective of whether they actually hold data in the EU – to provide adequate protection to EU citizens’ personal data – or potentially face fines of up to 4% of annual turnover or €20 million.
So, even if we leave the EU, you’ve still got until 2018 to prepare for the GDPR.
Whether the UK leaves or remains in the EU, whether the UK adopts the GDPR, continues with the DPA, or introduces a new data protection law, we urge our clients to implement robust information security practices as a matter of urgency – not because they’re mandatory but because they’re necessary.
Put simply, if you want to continue in business, you need to protect your information assets. That simple fact doesn’t change according to your position on the EU.
EU GDPR audit
Whatever happens in June, you’ve got two years to comply with the GDPR , or potentially face heavy penalties. If you haven’t done so already, you need to start your change programmes now.
All organisations should have a clear idea of the personal information they hold, including where it originated from and who it can be shared with.
Certified EU GDPR Foundation training course
And if you need to learn about the GDPR’s requirements, how they’ll affect your organisation, and how you can achieve full compliance with the Regulation, you’ll be interested in our one-day GDPR Foundation training course.
EU General Data Protection Regulation Documentation Toolkit
Pre-order the EU GDPR Documentation Toolkit and receive all the critical documents your organisation needs to ensure compliance with the new Regulation, including documents covering Data Protection Policy, DPO requirements, Privacy Impact Assessments, Incident Response and Breach Reporting.
Alternatively, call +44 (0)845 070 1750 today.