Since the UK’s EU referendum vote in favour of Brexit, the Information Commissioner’s Office (ICO) has confirmed that having clear data protection laws with safeguards in place is more important than ever given the growing digital economy. At this stage, while there is some uncertainty about the eventual impact of Brexit, the ICO has said that it will be speaking to the UK government to present its view that reform of the UK law remains necessary.
Whilst the current timetable for Brexit is uncertain, it seems likely that the EU General Data Protection Regulation (GDPR), the most substantial refresh of EU data protection law in the past 20 years, will continue to apply to the UK as expected from 25 May 2018. In the longer term, the UK is still likely to need to maintain a law similar to the GDPR, regardless of any post-Brexit UK model to ensure that data can freely move between the UK and EU in the context of on-going trading relationships.
Therefore, irrespective of whether or not your organisation has operations in other EU Member States (so that GDPR compliance would be required in any event), we recommend continuing with GDPR compliance projects as planned.
1. What does Brexit mean for businesses now?
Our key recommendations to businesses are as follows:
- Continue business as usual: at least in the short term, the Brexit vote will not
raise any barriers to personal data flows between the UK and other EU member
- Continue with GDPR compliance projects as planned: the GDPR is likely to apply in
the UK for a period before the UK leaves the EU, and will heavily influence the
reform of UK data protection laws post-Brexit. For more information on how to
prepare for the GDPR see our detailed guide and infographic.
- Approach data protection policies and procedures across the EU consistently, especially if
your business is global: in the unlikely event that the UK does liberalise
its data protection safeguards in the longer term, global businesses will still
need to satisfy the higher thresholds of the GDPR where they operate in, sell
into, or process personal data about people in the EU.
- Keep an eye out for new ICO guidance: with the newly appointed ICO commissioner,
Elizabeth Denham, having taken up her post on 29 June 2016 and the ICO
recognising Brexit as a key area of uncertainty for its organisation, the ICO
will be keen to show transparency and
guide businesses through this uncertain period once further information becomes
2. What does the ICO think?
- it would be discussing the implications of the referendum result and its impact on data protection reform in the UK with the government;
- international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens;
- having clear laws with safeguards in place is more important than ever given the growing digital economy, and reform of the UK law remains necessary;
- at least for the next financial year (2016/2017), there are not expected to be any material changes in UK data protection regulation or the role of the ICO; and
- it will continue to work closely alongside fellow international data protection regulators.
As a result, it is likely that in the short to medium term, the ICO’s involvement in cross-border privacy issues, such as global cyber-attacks,and its well-deserved reputation as a pragmatic benchmark for global data protection enforcement, will remain unchanged.
3. How will Brexit impact current UK law?
As a result of the 1995 Data Protection Directive (the Directive) and the UK’s implementing measure, the Data Protection Act 1998 (DPA), the UK’s data privacy regime is currently largely aligned with those of its fellow EU Member States. So, as it stands, it seems very unlikely that there will be any barriers to continued personal data flows from now until at least 25 May 2018.
4. How will Brexit impact the implementation of the GDPR?
The GDPR represents the biggest change to the data protection regime in the EU since the Directive. The aim of the GDPR, among other bold ambitions, is to harmonise, extend
and strengthen the application of EU data protection laws. The GDPR has direct effect within all EU Member States, so by default, it will apply directly in
the UK from 25 May 2018, without the need for implementing UK legislation and regardless of possible on-going negotiations concerning Brexit.
There are many factors that could potentially influence the default implementation of the GDPR on 25 May 2018 but on balance it seems unlikely that its implementation would be completely derailed, particularly as a result of:
- The mechanics of the Article 50 ‘trigger’: It is difficult to predict when the new UK Prime Minister might trigger Article 50 and how much of the two years allowed under the mechanism for negotiating an exit would be used. If Article 50 was triggered quickly and the full two years was used, then the earliest the UK could practically leave is Autumn
2018. This would be just a few months after the GDPR becomes law.
- The lack of political appetite to vary this default position: It is highly unlikely that any future UK Parliament would want to be seen withdrawing from what is
generally regarded as a global benchmark in the regulation of data processing. The risk of the UK Parliament taking steps to liberalise data protection laws by repealing or amending the DPA or GDPR, at least until any formal withdrawal terms have been negotiated with EU, is therefore particularly remote. The format of any future UK data protection laws is inextricably linked to the nature of the UK’s relationship with the EU. On the basis that negotiations on those terms may not have been substantially
agreed by May 2018, the implementation of the GDPR in May 2018 is extremely likely.
- The ICO’s position: a key theme of the ICO’s recent statements has been that reform of UK data protection law is still necessary and the ICO will be lobbying the UK government to advance this position in the coming weeks. Equally, while the ICO is considering the impact of the results of the EU referendum on its work to assist businesses in preparing for the GDPR in further detail, it is not anticipating any material changes in UK data protection regulation for the foreseeable future.