The 23rd June referendum is fast approaching and it is getting increasingly difficult to get simple answers to simple questions. As we think about how we will vote, just one of the things to consider is the raft of regulations and directives in the EU pipeline which could have a significant effect on us in the UK. The most high profile on the cyber security agenda is the General Data Protection Regulation (GDPR). This is due to come into effect on the 25th May 2018 when it will become law across all 28 member states, without the need for member states to pass local legislation. But will we be bound by GDPR if we leave the European Union?
Most businesses are looking for a simple answer. Yes or No. If Britain votes to remain in the EU then it’s very simple indeed: the GDPR will become law in the UK as well as all other member states and we will have to comply.
But what happens if Britain votes for Brexit and leaves the EU? Will we then be able to ignore the regulation and just adhere to the 1998 UK Data Protection Act? The answer to this is equally simple: no. Because GDPR applies to any country processing EU data, regardless of the outcome of the referendum, it will impact on virtually every UK business. For the vast majority of us, there is simply no avoiding it: we will need to get into a position of compliance.
Because, when it comes to GDPR, it’s not about where data is held that matters, it’s whom the data is about. If the data is about EU citizens then companies have to comply with the regulation no matter where they are in the world.
So the fundamental questions all organisations need to ask are:
- Do we do business with anyone in the EU?
- Do we store or process any personal data as part of that?
- Do we employ any EU citizens within our organisation?
If the answer to any of these questions is yes then it’s a yes to GDPR compliance. But even if the answer is no, there are some additional political factors to take into account which make GDPR compliance unavoidable. Consider the following scenarios:
The first scenario is that the Brexit process takes several years to come into effect, meaning that on 25th May 2018 the GDPR will be invoked into national law and every organisation will have to comply regardless. This will only change if the Government subsequently passes new legislation repealing the GDPR and creates a UK specific Data Protection law.
In the second scenario, the process of separation is swifter than expected and we effectively leave the EU before 25th May 2018. In this case, it’s likely that the GDPR will not become law but other factors will come into play. Namely, whether the UK remains a member of the European Economic Area (EEA). If we do then there will be a mandated requirement to comply with GDPR as prescribed in the Treaty of the Function of the European Union.
Even if we choose to not remain part of the EEA, any transfer or processing of EU data will only be permitted if the EU Commission deems the UK to have adequate Data Protection regulations in place. This is often referred to as “Safe Third Country” status. If we are deemed not to be a “Safe Third Country” then any UK organisation processing the personal data of EU citizens will need to examine ways to change how they operate to ensure they comply with EU law. Which means we’re back to GDPR.
So, the answer is simple. Whatever the outcome of 23rd June 2016, UK organisations need to ensure they are prepared and in a position to comply with the GDPR. Professional advice will ensure that you do this in the most cost effective and efficient way possible.