Apparently, 24% of businesses are not preparing for the General Data Protection Regulation because they believe Brexit means it won’t apply in the UK. I deliberately didn’t post this on April Fool’s Day as it’s too serious.
The survey results are staggering on two fronts. First, these businesses have actually heard of GDPR and have undertaken some kind of evaluation on whether to comply. They’re arguably further ahead than the larger number who are either unaware of GDPR or who have yet to prepare. Second, having grasped that GDPR is a thing, these businesses have fallen at the next hurdle by assuming that Brexit will cancel GDPR. Perhaps they also believe that Brexit means the NHS will get an extra £350m every week?
I’ve previously posted about data myths and have been covering this latest one in my GDPR talks recently. Look, it’s fairly simple:
- GDPR becomes enforceable in May 2018 and the UK gov previously indicated it will come into force in the UK (see Q72)
- If the UK gov takes the full 2 years to negotiate, Brexit will occur on 29 March 2019 – that is, after GDPR is enforceable in UK law
- In its February Brexit whitepaper (PDF) the gov said it would seek to seek to “maintain the stability of data transfer between EU Member States and the UK” as it recognises the stability of data transfer is important for the tech sector (see paras 8.38-8.40)
- The March Great Repeal Bill whitepaper (PDF) doesn’t mention GDPR or data protection but states that the UK will continue to comply with the European Convention on Human Rights (see paras 2.21-2.25), arguably the foundation of modern data protection laws. Therefore, GDPR will be preserved on Brexit day
- This means GDPR will come into force in the UK and will stay in force after Brexit
The government might change its mind later and revoke GDPR compliance. But remember, the UK had data protection laws before the EU did. And no data compliance officer I’ve spoken to wants to have a GDPR standard for that part of their business involving EU data transfers and a lower standard for the part with non-EU transfers. They want one standard, so that will have to be the GDPR standard.
So, in summary: GDPR will be enforceable in the UK notwithstanding Brexit.
UPDATE: What effect will the Snooper’s Charter have? As Brexit means the UK will leave the single market, this might take us outside data fortress Europe. This means we will have GDPR-style obligations but the EU Commission will assess our data protection laws as a whole to see if data transfers are ok to continue. If it decides we comply with GDPR then we will be on the safe list, just as Canada, Israel, Switzerland and others are at the moment. But the reason Safe Harbor was annulled and replaced with Privacy Shield was because of the US gov’s broad snooping powers. Arguably, the UK gov has similarly broad powers under the Investigatory Powers Act (aka Snooper’s Charter) so we may need to negotiate our own Privacy Shield. That won’t be straightforward as even Privacy Shield is undergoing a legal challenge. Best dig out those Model Clauses…