How the biggest economic change to the UK affects EU data protection laws
GDPR took effect on 25 May 2018 and in less than a year, it has claimed businesses, the largest of which being Google as its most notable victim. The rules imposed by GDPR apply to all citizens of an EU member state but since the UK may not be in the EU come GDPR's first birthday, some are left puzzled as to where that leaves us in terms of GDPR.
It's important to understand that GDPR isn't a law, if it was, we could leave the EU and then the UK would cease to be governed by it. The GDPR is a European directive which means it presents a set of rules and once approved by all member states, said states must draft domestic laws in which the rules presented by the directive must be imposed onto the citizens of that country and that country only.
Multinational businesses may face some issue in terms of data transfer between regions. Under the GDPR, personal data can be shared between European Economic Area (EEA) member states, but that same information cannot be transferred to 'third countries' outside the EEA unless said 'third countries' are deemed to have adequate data protection laws in place to allow that.
This is an issue because there is uncertainty which lies in the time period following the UK's exit from the bloc. The second it's official and that we have left, if we leave, we will become one of those 'third countries' to which data cannot be transferred from an EEA state and vice versa.
The requirement to prove adequate data protection laws could be an easy one for the UK to make considering GDPR did once apply to us and therefore, our domestic Data Protection Act 2018 could provide a quick fix to this issue. But, just like with everything surrounding Brexit in the past few months, nothing is certain.
Will the UK follow the EU’s GDPR?
While the UK is removing itself from the EU’s legal framework, it will continue to stand by the GDPR for now. It's not known what the final relationship between the UK and EU will be. Various models have been discussed, and discounted, by the UK.
According to the regulations themselves, the transfer of personal data to a non-EU country is prohibited unless that country has “an adequate level of data protection”. The UK can ensure it meets that "adequate level" by maintaining GDPR's rules.
Post-Brexit, the UK likely won’t be subject to decisions by both European Court of Justice and of the European Board of Data Protection. In addition, the UK Information Commissioner's Office (ICO) will no longer participate in the European Data Protection Board, losing influence on interpretations of law and decisions within the EU.
Preparing for GDPR and BREXIT
Organisations should have carried out their GDPR compliance well before this piece of regulation came into force. In order to continue trading with as little disruption as possible, organisations need to show they have adequate measures in place for their customers’ data.
Brexit does not give organisations any get out clause, especially those ones who will continue to hold the personal data of EU citizens going forward.