What impact will Brexit have on the UK’s implementation of the GDPR?

Currently, UK data centres are bound by the EU Data Protection Directive, which had to be enacted through each member state’s own laws, resulting in the Data Protection Act of 1998 in the UK. These antiquated protections are being updated to correspond with the present-day data environment and the challenges of a digital economy. It is becoming increasingly necessary for data to be able to flow freely across borders, however differing cultural norms regarding privacy and legal systems currently act as a barrier to this. These challenges are what underpin the intent of the EU’s General Data Protection Regulation (GDPR), creating a one-stop shop for data protection is, in principle, a step towards simplifying regulation in a rapidly evolving digital era.

The GDPR comes into effect on 25 May 2018, which pre-empts the UK’s exit from the EU. Consequently, regardless of the decisions made within the Great Repeal Bill or the completion of Article 50, as the UK will still be a Member State in May 2018, UK organisations must be prepared to comply with GDPR when it comes into force, or face the possibility of extraordinary penalties. To enable this, we will see changes being made to the existing UK Data Protection Act before May 2018 to ensure that there is no duplication or contradiction between it and the GDPR.

Even if the UK decides to change it’s data protection laws, post-Brexit, given how heavily involved the UK was in drafting the regulation, the likelihood of any new data protection legislation deviating significantly from the essence of what is laid out in the GDPR is fairly small. Furthermore, all UK organisations will still be required to comply with GDPR if they hold personal data for any European citizens. Therefore, it is highly important that British businesses are not only aware of these regulations, but are also working towards implementing them. 

In February, Matthew Hancock, Minister of State for Digital and Culture, addressed the House of Lords committee regarding the UK’s implementation plan for the GDPR. He remarked that the UK would look to implement the GDPR in full, with the aim of securing the free flow of data between the UK and the EU, post-Brexit. However, Hancock declined to provide any specific details when asked if the UK would be seeking a declaration of adequacy from the European Commission, which would permit unhindered and uninterrupted transfers of EU personal data to the UK.

Despite the significant upfront costs of implementation, complying with GDPR will be empowering for UK citizens and, ultimately, provide a competitive edge for organisations. Bringing data protection into the 21st Century and creating a culture of data confidence is something that all UK organisations should be doing, not just to comply, but also for the substantial benefits which good data governance brings.