As the dust settles following the EU Referendum, many people’s thoughts have moved away from the frenzy of political and economic news, to how Brexit will affect their businesses’ day to day operations. In particular, the impact that Brexit may have on the GDPR passed in May. The short answer is that it won’t.
Since 2010, there has been a global recognition that the laws written in the 1990s are no longer relevant to the increasingly sophisticated world of B2B communication and marketing.
Canadian initiatives such as Bill C-28 (2010) and CASL (2014), the sudden rejection of the US-EU Safe Harbour agreement (2015) and the publication of the GDPR (2016) are all symptoms of this global recognition and indicate that significant changes to laws surrounding B2B and B2C communication are on the verge of being implemented on a global scale.
So where does this leave UK companies?
Fallout from Brexit
“The GDPR has offered a unified, blanket solution that all companies around the world could comply to. If the UK will not adhere to the GDPR after the Brexit, it will need to negotiate a separate data privacy agreement with the EU that continues to make it an attractive country to prospects.” – Amy Johnson, Emerson Network Power
The GDPR will come into force on 25th May 2018; before the UK’s likely withdrawal from the EU. Importantly, as a European Regulation, the GDPR has direct effect in UK law without the need for separate legislation by the UK Government.
Since Brexit seems unlikely to have an effect until October 2018 at the earliest, this means that all UK organisations will need to comply with the requirements of the GDPR for around 5 months at the very least.
The role of the ICO
“It is unlikely that the UK is going to want to start drafting a new data protection law, especially during a time when there will be so many other demands on parliamentary time, only to face the uncertainly of placing it before the European Commission for an assessment of its adequacy. More efficiently and, in our view, more likely, is that the UK will simply adopt the GDPR, a text which it had significant input on.” – Riannon Webster, Partner at DAC Beachcroft
It’s difficult to tell how the landscape will change over the next few years, but the expectation is that the GDPR will live on in some form under UK law after 2018.
What we do know is that the ICO is very keen to reform current regulations, arguing the need for uniform global standards in order to broach international trade agreements. Canada and Switzerland are already implementing parallel laws and you can bet the ICO will drive this forward in the UK even without the EU.
Moreover, it seems unlikely that the UK Government, acting on the advice of the ICO, would start from scratch in drafting a new data protection law, so expect large parts of the GDPR to stick around.
“A failure to implement such equivalence will lead the UK down a path similar to the US, which is enduring the demise of Safe Harbour and a torturous agreement process with its replacement, Privacy Shield. This would severely affect UK firms’ ability to compete in Europe.” – Duncan Brown, European Security Practice
If the UK wants access to the Single Market, it’s going to have to align a lot of its laws with the EU’s. As Marc Dautlich emphasises “Norway complies with about three quarters of EU legislation but has very little influence over its content. Under this model, it would be unlikely that the UK would move significantly away from GDPR”
On a business level, we are unlikely to be taken seriously by EU traders if we don’t comply with the same standards. GDPR also applies to any organisation, whether located inside or outside the EU, if that organisation:
1. Offers goods or services to EU citizens
2. Monitors the behaviour of EU citizens
Therefore, in some way or another, UK businesses will need to abide by these laws (or a very similar set of laws) for the foreseeable future.
If this is something which you’re worried about, give us a call on 01672 505050 or send an email to firstname.lastname@example.org to speak to one of our specialists.
We’ve put this together with the help of the following people, some of whom we’ve quoted directly. See more of their advice and opinions below.
Duncan Brown, Research Director at the European Security Practice
Riannon Webster, Partner at DAC Beachcroft
Amy Johnson, VP at Emerson Network Power
Marc Dautlich, Data Potection Law Specialist, Pinsent Masons
Carla Arend, Program Director, European Software