GDPR – still coming to the UK

The result of the EU referendum in the UK has taken many by surprise. The now real prospect of Brexit has raised many questions on its impact on the legal order in the UK. This especially applies to those pieces of legislation which were enacted as a result of EU directive or regulation. That question gets even more complex when it comes to legislation that has just come into force but has not started to apply yet, such as the General Data Protection Regulation (GDPR).

While the immediate thought may be to abandon the preparations for the GDPR, this changes after just a few moments of a deeper reflection.

First of all, many UK businesses will continue to provide services or sell goods in many countries across the EU even after Brexit. In such a case, they will have to comply with the GDPR or face fines of up to 4% of global turnover.

Secondly, the GDPR has vastly expanded the jurisdictional reach of the regulation by applying to those operators who offer goods or services to, or monitor, data subjects in the EU “regardless of whether the processing takes place in the Union or not” (article 3). This means that any organisation or business carrying out the above activities will have to comply with the GDPR.

Thirdly, the UK will remain a full member of the EU until the negotiations on the country’s withdrawal are completed. As such, it will enjoy all its rights as a member and will have to comply with the legislation in force. The UK has not yet invoked article 50 of the Lisbon Treaty which allows the two-year withdrawal negotiations to start. Since the GDPR will start to apply in May 2018, there is a fair chance that the UK will still be a member of the EU and will have to comply fully with the new regime.

Fourthly, it is still unclear what the future relationship between the EU and UK would look like. If the UK chooses to join the European Free Trade Association, it will continue to participate in the single market and would continue to apply the vast body of the EU law. If it chooses a different solution, the UK will be free to set its own data protection laws. However, in the case of data transfers between the EU and the UK, the UK will be treated as a third country under the GDPR and its data protection legislation would be assessed as to whether it provides adequate protection of personal data. This assessment is likely to be more positive when the UK maintains a high level of protection of personal data in line with the regime in force across the EU.

Indeed, the spokesperson for the Information Commissioner's Office pointed out that: “If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the single market on equal terms we would have to prove 'adequacy' – in other words UK data protection standards would have to be equivalent to the EU's General Data Protection Regulation framework starting in 2018.”

For all the above reasons, you should maintain your focus on getting ready for the new regime.