Since the surprising Brexit vote in June 2017, there has been a worrying assumption doing the rounds in some sectors of the UK. Namely that the newly constructed EU General Data Protection Regulation (EU GDPR) can’t (or won’t) be enforced upon the UK after we leave that EU legal structure.
With Theresa May’s forthright and very public speeches about the UK taking back its legal powers from the EU, it is perhaps understandable that some confusion reigns in regards to this important legislation.
However, let me be very clear. I, along with many other data privacy experts, do not believe that Brexit will make any difference whatsoever. All UK organisations (and individuals!) face stricter data privacy laws regardless of what our final negotiated position is with the EU, or any other trading country for that matter.
A good pedigree for Data Privacy
It’s worth remembering that the UK was one of the first G7 countries to have solid data privacy legislation; this was actually way before the better-known 1998 Act. In fact, we had our first Data Protection Act (DPA) in 1984, and its lesser-known offspring, The Access to Personal Files Act, quickly followed in 1987.
Britain has a good pedigree when it comes to data privacy, and the updated and enhanced 1998 Act was seen as a model to be cloned and copied around many other countries. The UK respects privacy and, as much as we will follow other countries’ rules, we also expect them to look after our citizens’ data very diligently.
Also remember that the new GDPR, whilst forged in Brussels, was constructed with a great deal of ideas and input from British quarters. The GDPR is as British as it is European in its sentiment and aims; some might say probably more so.
So, as the UK ventures into the wider and more global World markets, we will undoubtedly forge new customer and supplier bases with countries that already trade within EU agreements. Those countries will want to ensure that the UK treats trading and customer information with the same respect as the GDPR. They will expect us to retain the GDPR in some form or another.
Of course, the UK will equally expect those countries to respect its citizens’ data. The UK’s new Information Commissioner has made it very clear that companies that take liberties with personal data can expect little mercy. The new GDPR rules on consent will be strictly enforced to ensure that overseas suppliers do not abuse marketing data for cross-selling or nefarious purposes not in line with the customer’s original wishes. UK organisations will also be expected to play on a level playing field within our own borders too. That monitoring of potential consent abuses will also apply, equally diligently, even if companies don’t trade abroad.
Whatever deals we forge with the EU-27 group, Brussels will undoubtedly insist that we adopt the GDPR ready for our actual leave date. Even though that farewell date seems to be pencilled in for March 2019, we will remain a member state until then. We are still bound by all EU Legislation until that date. Therefore, with the EU GDPR coming into force in May 2018, the UK is tied to these rules in both the short run, and its longer-term, obligations.
Theresa May made it very clear that all EU laws would be converted into UK laws at first, and then filtered and inspected for suitability and/or supersedure. With the 1998 Data Protection Act now going through its own update exercise, it is obvious that Parliament will take this opportunity to bake the GDPR rules into the shiny new Data Protection Act – version 201x, I’m estimating around the early-2018 mark.
So, no matter where a company trades – UK, EU or the wider globe – the GDPR will be applied in some form or another. This will either be through the current DPA with the added authority of the GDPR, or the UK’s newly-written DPA+GDPR hybrid. I don’t believe that the latter will be long in the pipeline.
The clock is ticking
So, all organisation need to start gearing up. May 2018 seems a long way off, but industry seems to have already lost 5 months since the GDPR was signed earlier in May this year. That’s 21% of the possible planning and implementation time lost already.
It’s time for the UK to forge ahead with trade inside and outside its borders, and economic indicators show that this has started. But, one or the other, with the Data Protection Act version 3 and overlap GDPR rules looming, business needs to stop ignoring the clock.
These new rules, and the penalties that can be applied for breaches, are highly punitive (up to 4% of corporate global gross turnover) and can leave corporate reputations in tatters. As we all know, the latter of those penalties is probably the more valuable asset to lose.