FOIMan points to a comment from a BREXIT campaigner which reinforces the message that a vote to leave the EU would have little effect on the adoption of the new General Data Protection Regulation in the UK.
On my data protection courses I’ve come to expect the obvious question whenever I mention that the General Data Protection Regulation (GDPR) will come into force on 25 May 2018 and will apply across the European Union (EU). Which is, of course:
What happens if we vote to leave the EU on 23 June?
I’m no constitutional expert, but I’ve been reassured by the fact that my usual answer has been in line with what many other commentators have said on this question. GDPR is coming whether we leave the EU or not. The latest comments from the BREXIT camp if anything seem to me to reinforce this view.
Firstly, one of the most likely flavours of BREXIT is that the UK would join the wider European Economic Area (EEA) – the group that Norway is a member of. Nations in this group still have to comply with many EU laws, and this would include GDPR. Result of this option: GDPR would apply.
Secondly, if the UK goes for another flavour of BREXIT, then it wouldn’t have to adopt GDPR itself, but following the European Court’s decision on Safe Harbor last October, if UK businesses were to continue to do business with European companies and public bodies then it would almost certainly have to adopt an “equivalent” level of data protection. Result of this option: a new Data Protection Act that is to all intents and purposes the GDPR by another name.
One complicating factor is that it has previously been assumed that post-BREXIT negotiations would take two years to complete. This would mean that however we vote, the GDPR would apply for a matter of months after 25 May 2018. If businesses and public bodies have to do enough to comply with the regulation for a few months, what would be the point of lowering standards that they have already worked to meet?
Now comments by one of the leading BREXIT campaigners seem to me to make it even more important for businesses to assume that GDPR is on the way – and will be here to stay. Michael Gove recently suggested that negotiations post-BREXIT would be unlikely to be complete by the time of the General Election in 2020. If BREXIT happens more than 2 years after GDPR has been brought into force, it seems less likely than ever that BREXIT would affect GDPR.
The bottom line is: whatever the outcome on 23 June, the GDPR is on the way and organisations need to prepare for it now.