With the UK’s decision to leave the European Union, you could be forgiven for thinking that the new EU General Data Protection Regulation (GDPR) no longer applies to your organisation. Or that, given the current political and economic uncertainly, it’s best to delay any decisions surrounding your data protection compliance policy.
Here are three key reasons why you should not ignore the GDPR:
- It’s still the law
Until the UK invokes Article 50, the UK is still in the EU and must fully comply with its laws until the Brexit negotiations and process are completed. If you suffer a data breach after the GDPR’s 25 May 2018 application date, your organisation could be sued by EU residents if you fail to comply with the Regulation – even if we leave the EU.
- New UK law may include the GDPR requirements
As the UK Information Commissioners Office (ICO) was at the forefront of the GDPR’s development, it’s very likely that the current UK Data Protection Act (DPA) will be updated to reflect the more rigorous requirements of the GDPR. While the DPA could be completely repealed, this would be many years down the line, and any new UK law would most likely include the GDPR’s requirements.
The economic argument for the UK adopting the GDPR when we leave – or, indeed, implementing even more stringent measures that would satisfy the Regulation’s data protection requirements – is strong: according to the Office for National Statistics, e-commerce accounted for 20% of UK business turnover in 2014. And, as think tank Chatham House pointed out in March, “data sharing has an impact on all business with the EU (both online and offline), valued at 45 per cent of UK exports and 53 per cent of UK imports.” In still-straitened economic times, that value is obviously something the UK government will be keen preserve.
This was confirmed by Steve Wood, Interim Deputy Commissioner at the ICO, who commented, “The result of the 23 June 2016 referendum on membership of the EU now means that the Government needs to consider the impact on the GDPR. With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations, and to consumers and citizens. Once implemented in the EU, the GDPR will be relevant for many organisations in the UK – most obviously those operating internationally”.
- Win more business in Europe
To do business with any EU country, such as France and Germany, your company will be required to comply with the GDPR. This is because the Regulation applies to EU residents’ data, wherever it is processed.
Norway, which is not in the EU but is in the EEA, complies with about three-quarters of EU legislation but has very little influence over its content. If the UK follows the Norway model, the UK would not move significantly away from GDPR or the EU’s Network and Information Security (NIS) Directive that has also been finalised in the last few weeks.
UK companies who ignore GDPR will be less competitive and risk being side-lined in any international sales deals.
Do not take the risk of ignoring the GDPR in your organisation. Get started immediately and attend our next session of the Certified EU General Data Protection Regulation Foundation (GDPR) Online training course. It’s delivered in a Live Online format to save you the time and cost of attending a classroom course.
Better still – it takes just one day and is next running on 27 July 2016.