Since the UK’s EU referendum vote in favour of Brexit, both the UK government and the Information Commissioner’s Office (ICO) have confirmed that having clear data protection laws with safeguards in place is more important than ever given the growing digital economy.
The UK’s current data protection regime is set out in the Data Protection Act 1998 (DPA), which implements the EU’s 1995 Data Protection Directive. The DPA is largely aligned with the current laws of other EU Member States. As it stands, it seems very unlikely that there will be any barriers to EEA-UK transfers of personal data from now until at least 25 May 2018, when the General Data Protection Regulation (GDPR) takes effect across the EEA.
What has the UK government said about the GDPR post-Brexit?
The UK government – recognising the importance of the stability of EEA-UK date transfers for many sectors – has confirmed that:
- it is very likely that the UK will still be a member of the EU when the GDPR comes into direct effect across the EU (and the EEA) on 25 May 2018;
- implementing the GDPR fully into UK law is a key way that the UK can negotiate uninterrupted and unhindered EEA-UK data transfers; and
- it does not foresee any great changes being made to UK data protection laws once the UK leaves the EU.
What has the ICO said about the GDPR post-Brexit?
In a blog post in October 2016 – after comments from the Secretary of State Karen Bradley MP confirmed that the UK will be implementing the GDPR – Elizabeth Denham, the Information Commissioner, described this as “good news for the UK“.
Both the ICO and the UK government have pushed for reform of EU data protection laws for several years. According to the ICO, the GDPR brings about the change that is required to mitigate risks and inspire public trust and confidence in how their information is handled in a growing digital economy.
The ICO has confirmed that it will be working with the UK government to stay at the centre of conversations about the long term future of UK data protection laws.
What does Brexit mean for businesses now?
Our key recommendations to businesses are as follows:
- Continue business as usual: at least in the short term, Brexit will not raise any barriers to personal data flows between the UK and other EU and EEA member states.
- Continue with GDPR compliance projects as planned: irrespective of whether or not your organisation has operations in other EU or EEA Member States (so that GDPR compliance would be required in any event), we recommend continuing with GDPR compliance projects as planned (on the basis that the GDPR will be implemented fully into UK law). For more information on how to prepare for the GDPR, see our detailed guide and the dedicated GDPR feature page.
- Identify data flows, particularly EEA-UK data transfers: many organisations will already be mapping data flows as part of their work to ensure that they comply with the GDPR from 25 May 2018. That exercise should also identify where data flows between the EEA and the UK, which will allow organisations to address any (longer term) changes to the rules on EEA-UK data flows (as and when they occur).
- Approach data protection policies and procedures across the EU and the EEA consistently, especially if your business is global: in the unlikely event that the UK does liberalise its data protection safeguards in the longer term, global businesses will still need to satisfy the higher thresholds of the GDPR where they operate in, sell into, or process personal data about people in the EU and the EEA.