Data protection in the UK post-Brexit
UPDATE 04/11: The UK and EU have agreed to delay Brexit until 31 October.
With the Brexit deadline here, it’s safe to say that there is a lot of uncertainty within the UK at the moment. This became almost immediately apparent upon the nation voting to leave the European Union back in 2016. Ever since then, there has been a huge amount of confusion over what exactly will happen once the UK triggers Article 50.
In the aftermath of the referendum over two years ago, everything from the economy to employment has been heavily discussed, with many people worrying about exactly what will happen. Data protection is just another uncertainty in recent times, with a lack of information on how this will function after the UK has left the EU.
While data protection probably wasn’t your first thought when it comes to Britain leaving the European Union, it’s most definitely something that you should consider. With that in mind, the following article will take a closer look at the relationship between data protection and the UK after the Brexit negotiations draw to a close. So, without any further ado, it’s time for you to discover everything that you need to know.
Will GDPR apply in the UK post-Brexit?
Brought into place on 25 May 2018, GDPR (General Data Protection Regulation) is an EU-wide regulation that was brought into place to protect the data of individuals living in each member state. Affecting medicine to banking and everything in between, GDPR was drafted in to replace the 1995 Data Protection Directive.
Thanks to the laws that were brought into place with GDPR, individuals found themselves having more power when it comes to their personal data. Essentially, it means that they can demand companies reveal or delete any personal information upon request. If the company in question failed to do so, then they could find themselves facing a new maximum fine of €20m (£17.5m) or 4% of the global turnover of the company.
However, as Britain is due to leave the European Union imminently, where does this leave GDPR? Well, as it happens, you probably won’t see much of a change, to begin with. After all, the UK Government has explicitly said that “there will be no immediate change in the UK’s own data protection standards. This is because the Data Protection Act 2018 would remain in place and the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside it”.
However, particularly in the event of a no deal Brexit, a considerable number of changes to data protection are likely to become more apparent as the years go by. This means that any UK businesses which handle personal information will need to prepare themselves for whatever may happen just to be on the safe side. That way, this will allow them to take the appropriate action and keep things as close as possible to how they are now.
Initially, the UK Government has expressed that the transfer of data from the UK to EU countries will remain unaffected. Although, it’s important to mention that any organizations based in the UK need who receive any transfer of personal information of EU citizens or from EU member states need to work with their partners on the continent so that any transfers fully comply with the current regulations which are in place.
What other data protection laws might be affected?
When it comes to the transfer of personal data, it’s safe to say that many procedures must be followed in order to conduct data flows in a lawful manner. This is the whole reason for GDPR being brought in in the first place. But, just what exactly does this mean for other data protection laws?
Well, it appears that the UK will need to prove to Brussels that it meets ‘adequacy’ in terms of privacy protection for EU citizens. In doing so, this will allow British companies to continue the transfer of personal data across Europe in vast volumes. With that being said, it has been reported that the process of achieving adequacy post-Brexit is a process that could take many years, as outlined by Europe’s data protection supervisor Giovanni Buttarelli:
“Adequacy could take years. We will have to assess law enforcement bodies,” said Mr. Buttarelli. “Adequacy findings take a lot of work even if [the UK] is fully compliant with the GDPR”.
In terms of other data protection laws, you will find that the UK Data Protection Act 2018 (DPA2018) was passed around the same time that GDPR came into effect. This was a replacement for the previous Data Protection Act 1998 that was repealed and replaced. The DPA2018 is the new set of laws which must be complied with if the UK leaves the EU without a deal, and so this will ensure that any personal data which is transferred by an organization will have to observe strict regulations. Otherwise, the company in question could potentially face severe penalties.
Conclusion
All in all, it’s safe to say that a lot of change is going to happen within the UK over the next few years, with the new deadline set for the 31 October 2019.
Either way, it can be said that there is still much uncertainty over whether or not the UK will leave the European Union with or without a deal. In spite of this, it wouldn’t be surprising to see sweeping changes over the next few years even though GDPR has been in place for less than 12 months.
For that reason, it’s better to be safe than sorry and prepare yourself for any type of Brexit deal that is reached – particularly if you find yourself in a situation whereby you need to transfer any personal data to and from EU citizens and/or member states. While it may be a complicated process, it’s always worth being prepared regardless of the situation. That way, you’ll be in a much better position to handle procedures in a manner that is fully compliant with legislation post-Brexit.
