What happens to EU Data Protection Regulation if UK votes for Brexit?

As the UK prepares to vote on whether to stay in the European Union there is an extra conundrum for businesses and records managers: what would Brexit mean for the new EU General Data Protection Regulation (GDPR)?

The Regulation, which has been four years in the making and generated a robust debate, is due to come into force in 2018 – and aims to create a one-stop shop for data protection across the EU. Some of the key aspects of the bill include huge fines for data breaches, new rules around the collection of personal data and new rights for European citizens to ask for data be deleted or edited. Many businesses will also be required to appoint a Data Protection Officer.

It’s no surprise, then, that businesses across the country have been contemplating what kind of impact it will have on their operation, their systems and their budgets. All the advice, quite correctly, has been that failing to prepare for the Regulation could leave businesses open to fines, loss of reputation and – just as importantly – see them miss out on a chance to make the most of their data.

However, the Brexit vote in June now opens up the possibility that the UK could be out of the EU by the time it comes into force – and that’s causing a great deal of confusion.

Should businesses, for instance, spend the money required to update and improve their systems and audit their data – as many are already doing? Or should they now stand back and play the waiting game as the UK public decides on its future in Europe?

There are several important questions to answer here, so let’s take them one by one:

1. Would the EU General Data Regulation still apply to UK businesses if Britain voted for a Brexit?

It would be tempting for businesses to think that if the UK leaves the EU this regulation would not apply. In fact, that isn’t the case. Although an independent Britain would not be part of the Regulation, in reality, it would still be impossible to avoid its implications.

The Regulation governs the personal data of all European citizens, providing them with greater control and more rights over information held about them. So any company holding identifiable information of an EU citizen, no matter where it is based, needs to be aware. With millions of EU citizens living in the UK, too, it’s hard to imagine that many businesses here would be unaffected.

The same applies to data breaches involving the personal data of European citizens. So it will still be vital to have a watertight information management system in place which allows businesses to know what information they have, where it is, how it can be edited and who is responsible for it

2. Why should businesses push ahead with data reforms regardless of the Brexit vote?

Businesses should be thinking about the benefits of good information governance rather than hesitating because of what could happen in the future.

There is no point putting in place systems that ignore privacy by design, for instance, when that is good procedure – no matter what happens in Europe in June. The same is true of measures to protect a business from data breaches, which have reputational as well as financial implications – no matter who imposes the fine.

As for personal data, citizens, in the UK are only going to be more demanding about how their data is collected, stored and edited in future – the genie is out of the bottle and it’s not sensible to think that leaving the EU will change it. Preparing for a modern data world is not only about the GDPR.

3. What could be the benefits of staying part of the EU and consequently being a signatory of the new EU GDPR?

The political debate has its own arena and that is for people to make up their own minds on. But in terms of the GDPR this is a regulation designed to make things easier for businesses that work with the personal data of EU citizens. A one-stop shop for data protection, for instance, is long overdue. Trying to regulate a rapidly-evolving digital world with legislation dating from 20 years ago does not make sense. Any regulation which encourages businesses to have strong and robust information management systems in place should be a good thing.

4. What could be the benefits of being outside the EU GDPR if the UK votes for Brexit?

There are certain requirements of the GDPR which may no longer apply, such as a requirement to appoint a Data Protection Officer for some companies. So, there could be cost savings in the short term. The reality, however, is that the general principles of the Regulation are pretty universal and likely to influence legislation and best practice in other areas of the world. The best advice for businesses is to embrace those principles and prepare accordingly.

What the Information Commissioners’ Office (ICO) says:

How will data be regulated in the UK if it leaves the EU?

“It will continue to be regulated by the current Data Protection Act, which was passed back in 1998. Although derived from an EU Directive, the Data Protection Act was passed by the UK Parliament and will remain in place after any exit, until Parliament decides to introduce a new law or amend it...The UK has a history of providing legal protection to consumers around their personal data. Our data protection laws precede EU legislation by more than a decade, and go beyond the current requirements set out by the EU, for instance with the power given to the ICO to issue fines.”

So if the UK votes for Brexit it doesn’t mean businesses should stop worrying about data protection law?

“Not at all. Having clear laws with safeguards in place is more important than ever given the growing digital economy, and is also central to the sharing of data that international trade relies on. The UK will continue to need clear and effective data protection laws, whether or not the country remains part of the EU”

What should businesses who are currently upgrading their systems ready for EU GDPR do? Should they cut back on reforms?

“Ultimately, this is a decision for organisations based on their own particular circumstances. Revisiting and reassessing your data protection practices will serve you well whatever the outcome of the referendum. Investing in GDPR compliance will ensure an organisation has a high standard of data protection compliance that will enable the building of consumer trust.”

John Culkin, Director of Information Management, Crown Records Management

Image source: Shutterstock/Wright Studio