Skip to main content

Leaving the EU: The impact on data protection and compliance

As Britain plots its uncertain course through the uncharted waters of Brexit, one of the least-discussed facets is the impact that leaving the European Union will have on data protection and privacy.  The laws concerning data are global and complex, and depend on a complex suite of bi-lateral and multi-lateral agreements, from Safe Harbour to the General Data Protection Regulation (GDPR). As one of the pioneers of the digital age, the UK has been intimately involved in shaping the landscape of data protection and privacy regulations – both within the EU and around the world – so it’s important to understand how Brexit will affect the issue of privacy and security. 

The UK has been at the forefront of European and international data protection reform for over thirty years and has played a central role in the GDPR from the beginning, advocating, shaping and supporting the reforms. Rather than being a fundamentally new piece of legislation, the GDPR represents a codification and clarification of a range of existing laws. Data protection laws in the UK preceded EU laws by more than a decade, introducing the Data Protection Act in 1984, as a result of OECD membership. 

Data protection laws weren’t pioneered by the EU – the UK already had robust legislation in place; part of a global framework of data protection rules to balance privacy and international trade.

Leader and reformist

The UK is, and always has been, a leader in data protection reform. There are many reasons why this should be so, from the UK’s long history of championing personal liberty to the importance of the creative sector to the country’s economy. As such, Britain has done more than any country to shape Europe-wide data legislation such as the GDPR. How, then will Brexit affect data protection in the UK and beyond? It’s only been a few months since the referendum, but over the coming months and years we will see Brexit negotiations unfold and gain more clarity on what the future of the UK’s relationship with the EU looks like. 

What’s clear is that the UK isn’t going to have the ability to influence future reforms around the EU table anymore. Unlike with the beginning stages of the GDPR initiative, the UK won’t be able to lobby for upcoming reforms such as the e-privacy directive, focusing on enhanced protection in digital marketing space. The UK has previously been a driver in negotiations, pushing for reform and increased protection but Brexit means this influence will be lost.  If one thing is clear from the early stages of negotiation, and the government’s stated aim to continue co-operating with their erstwhile European partners, is that the UK will continue to show leadership around data and privacy. For one thing, it makes strong business sense to maintain strong ties with the EU for economic security in the marketing sector and other industries. 

Baroness Neville-Rolfe DBE CMG, Minister for Data Protection, outlined at the Privacy Laws & Business annual conference on data protection that Brexit hasn't changed the problem of how to protect data. The growth in the digital economy means the need to protect citizens’ interests and data will remain a priority. She also mentioned if any country shares data with EU Member States, or for it to handle EU citizens’ data, they will need to be assessed as providing an adequate level of data protection. It is important that organisations continue to comply with the Data Protection Act.

One step ahead

Over the past year, we’ve already seen the UK take steps towards greater privacy standards, even before the GDPR comes into force. The UK is starting to plough ahead and is putting people in front of courts, issuing record fines and building up a whole body of knowledge about people breaching current regulations. 

For instance, since the Information Commissioner’s Office law changes around nuisance marketing last year, £2 million in fines have been issued. In this issue, the UK is showing clear leadership, not least in putting its threats of prosecution into action.  Although EU data protection reforms are yet to be confirmed, the UK hasn’t been waiting. UK regulators understand the changes set to come and as well as more investigations and fines they have re-issued their marketing guidance, already bringing the UK closer to GDPR standards.  

When it comes to data protection and privacy, legislation is only one part of the jigsaw. Businesses must also consider industry regulation and commercial contracts alongside customer satisfaction, company ethos and company accreditations. Regular data breaches gaining mass media attention has meant consumer awareness around the risks of sharing personal data are firmly on the public’s mind, with a reported 9 out of 10 consumers wanting more control over the data they share. 

There is a growing intolerance for data misuse. Businesses are being forced to accept that privacy matters. Customers will always expect more from brands than the minimum legal standards. In many ways, the specific details of laws don’t matter as much as understanding the principles that the laws are trying to promote and protect – transparency, fairness and consumer protection.

Data protection vanguard

The UK can be proud of its contribution to the growing corpus of international standards and regulations concerning data security and privacy, as well as its efforts to enforce these ideas in its own jurisdiction. Looking forward, we can expect Britain to continue to be in the vanguard, and to act as a beacon for other nations or supranational bodies that seek to strengthen individual liberty and security. 

It’s difficult, for example, to see the UK failing to continue its engagement with and contribution to organisations such as the OECD and the EU when it comes to shaping new guidelines and best practices.  Amid all the hyperbole about Britain turning its back on Europe, the reality will likely be one of continued co-operation and, we hope, continued leadership for the UK. While our influence on the main stage will be reduced, our legacy and commitment to robust data protection legislation should remain.

Image Credit: D Smith / Flickr

Steve Henderson, Compliance Officer at Communicator

Steve Henderson is a Compliance Officer at Communicator. He is responsible for developing the email delivery, analytics and reporting systems. Steve is a member of the DMA’s Email Council and consults on the council's Legal and Best Practice hub.