In a recent survey of IT decision makers 25 per cent of respondents had cancelled preparations for the GDPR and 44 per cent thought GDPR won’t apply to UK businesses after the UK has left the EU. Anna Drozd explains why law firms need to comply.
The result of the EU referendum in the UK took many by surprise. The now real prospect of Brexit has raised many questions about its impact on the legal order in the UK, particularly directives and regulations enacted as a result of EU law And what about the General Data Protection Regulation (GDPR) that has just come into force but has not started to apply yet?
While the immediate thought may be to abandon your preparations for the GDPR, let me change your mind.
Four reasons to comply
1. UK businesses will continue to provide services or sell goods in EU countries after Brexit
Businesses will have to comply with the GDPR or face fines of up to 4 per cent of global turnover.
2. ‘regardless of whether the processing takes place in the Union or not’
The GDPR has vastly expanded the jurisdictional reach of the regulation by applying to those operators who offer goods or services to, or monitor, data subjects in the EU ‘regardless of whether the processing takes place in the Union or not’ (Article 3). This means that any organisation or business carrying out the above activities will have to comply with the GDPR.
3. GDPR will start to apply in May 2018
The UK will remain a full member of the EU until the negotiations on withdrawal are completed. As such, it will enjoy all its rights as a member and will have to comply with the legislation in force. Since the GDPR will start to apply in May 2018, we know that the UK will still be a member of the EU and will have to fully comply with the new regime.
4. Future relationship between the EU and UK
It’s still unclear what the future relationship between the EU and UK will look like. If the UK chooses to join the European Free Trade Association, it will continue to participate in the single market and would continue to apply the vast body of the EU law. If it chooses a different solution, the UK will be free to set its own data protection laws. However, in the case of data transfers between the EU and the UK, the UK will be treated as a third country under the GDPR and its data protection legislation would be assessed as to whether it provides adequate protection of personal data. This assessment is likely to be more positive when the UK maintains a high level of protection of personal data in line with the regime in force across the EU.
An Information Commissioner's Office spokesperson pointed out that:
‘If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the Single Market on equal terms we would have to prove 'adequacy' - in other words UK data protection standards would have to be equivalent to the EU's General Data Protection Regulation framework starting in 2018.’
For all these reasons, you should maintain your focus on getting ready for the new regime.
The ICO has recently published guidance for preparing to comply with the GDPR in March 2018.
Check our General Data Protection Regulation resources