While the full implications of Brexit are yet to be determined, there is one area of law which could be significantly affected, and that is Data Protection. In April this year, the EU adopted a new system called General Data Protection Regulation which will come into force in May 2018. Now that the UK has decided to leave the EU this could mean a great deal of confusion surrounding how we will continue to legislate on Data Protection but first, what is the GDPR?
What is the GDPR?
The General Data Protection Regulation represents one of the most significant overhauls in Data Protection in two decades and will apply directly to all EU member states. It includes tightening up and applying much stricter rules with regards to data protection in an effort to give EU individuals greater control over their personal data. The new rules aim to make it simpler to regulate data protection across borders by standardising it in the EU. The main principles are to improve personal digital security, give individuals more control over what data may be collected, and increase data portability. These new rules will entail a vast array of changes within businesses from changes to data processing policies, processes and procedures, to the appointment of a large number of Data Protection Officers.
The Pre-Brexit data protection situation.
Before the referendum it was believed that in order to go ahead with GDPR, the UK would need a minimum of 7000 Data Protection Officers, and probably more when one takes into account large banks and insurance companies which might employ several. This seemed so likely indeed that Henley Business School event launched a programme entirely geared towards training future Data Protection Officers.
Other studies showed that although various sectors, specifically the retail sector, were spending considerable amounts of money on data protection, they were spending it on the wrong areas. Vast sums were being expended on network and anti-virus security, despite such areas having been proved ineffective against multi-stage attacks. Indeed, a staggering 89% of IT executives in the retail sector said they felt vulnerable to data threats.
In such a climate, one would imagine that the introduction of a well-structured, comprehensive such as GDPR would be an ideal solution. The problem is, that a large number of businesses in the UK do not know anything about it. The Close Brothers’ quarterly survey of UK SME owners showed that 82% of companies either have not heard of GDPR, or do not understand its impact. Had the UK voted to stay in the EU, this would have meant that these companies would have had to overhaul their data protection systems or risk the EU’s penalty for non-compliance – 20 million euros, or 4% of annual revenue, whichever was highest.
All of these factors come together to paint a picture of the UK as a country fully cognisant of the need for stringent data protection measures but not sufficiently trained, educated, or informed in the best way to practice these.
Data protection post-Brexit.
So, since the UK has voted to leave, what now? Technically speaking, GDPR will come into force several months before the UK has actually left the EU, so long as the withdrawal process follows the assigned 2 years. This leaves the question of how data protection will be managed until then wide open. The Data Protection Minister Baroness Neville-Rolfe has herself said that the government will have no idea how to apply the EU rules on data until the discussions around UK withdrawal have taken place. It is possible that, upon officially leaving the EU, the UK will adopt domestic legislation to keep the rules of the GDPR in place, but this remains to be seen. With the current laws on data protection (the Data Protection Act 1998) deriving from EU law to begin with, 2018 may mark the first time when the EU and UK laws governing data protection diverge. However, until a thorough roadmap for the next two years is drawn up, the future of data protection in the UK will be in limbo.
For any further information or questions regarding the subject matter discussed in this article, please contact Davenport Solicitors by email at firstname.lastname@example.org or by phone on +44(0)203 207 9430.