So, we have just triggered article 50 and this is liable to impact our data protection and privacy setup- but we don’t yet know what the full impact will be and we may not know for quite some time yet. However, we need to start considering the possible implications now. There are many areas to deliberate over what are the key issues here? Of course, these will differ depending on your business. The top areas to consider for data protection and privacy are:
- Should UK businesses continue to align their operations and processes with the EU General Data Protection Regulation (GDPR)?
- The free-flow data between the UK and the EU will likely require the UK to either join EFTA or be confirmed as an “adequate” jurisdiction by the European Commission.
- Dependent on these issues, UK businesses with significant cross-border transfers of personal data with the EU will need to pay close attention to how they achieve on-going compliance with EU laws in this area.
Given that the GDPR comes into force in May 2018, one could have argued that the Referendum result would have little impact because of the 1995 Data Protection Directive and the UK Data Protection Act 1998. The latest statement from the Information Commissioner’s Office (ICO) says that:
Given that, for so many business services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations, the free flow of data is paramount to them. The UK would need to accord with the standards outlined in the GDPR if the UK wishes to “trade with the [EU] single market on equal terms” in the event that the Regulation does not “directly apply to the UK”. The risk exists that the UK might refuse to align its data protection laws to the level of the GDPR given the UK’s (and Information Commissioner’s Office’s) persistent push-back on large tracts of the draft GDPR throughout the process. The UK has said that the “GDPR measures were either overly process-driven or unnecessarily protective of the individual”. What would we need to do if this did happen? No one truly knows at this stage. But a single set of rules is attractive both in terms of managing consistency of internal compliance and providing a consistent message to consumers and contractual counterparties on the way in which personal data is handled. We need to Safe Harbour our data and that of all of our clients we deal with. And of course, there is the on-going US data laws that we must always consider!