Personal data and information transfer over the Internet is ever-growing. In light of this, the European Union has passed the General Data Protection Regulation (GDPR), which will enter into effect in May of 2018.
This new regulation affects all companies within the EU. Which is why at this point many European citizens are wondering: What will happen with the UK and its exit from the EU after Brexit? With the United Kingdom comply with the GDPR? For how long?
After the enactment of Article 50, Great Britain gave its consent to start the process of leaving the European Union. This fact implies a serious hit to the rest of the member states, and not just in the economic field.
With Brexit, data centers located in Great Britain will no longer be subjected to the data protection regulations of the EU, which is a serious problem for the companies and citizens of the Eurozone.
Unlike other EU directives that had to be implemented in the local regulations, since GDPR is a regulation, it immediately enters into effect. For this reason, data centers in the UK will need to comply with it, since its exit from the EU – in March of 2019 – is scheduled to take place after GDPR causes effect.
This fact is paramount, since GDPR implies big changes to Great Britain’s data protection regulations, and affects the companies and data centers in the country.
One of the main focuses of GDPR is “data governance.”
Privacy impact analyses will be mandatory for high-risk processing activities, including mass data processing or profiling activities.
One of the most outstanding aspects is that companies will need to demonstrate “privacy by design,” showing that they have pseudo-anonymized the data they are storing and that they have included privacy protection in their personnel policies. Furthermore, choosing third-party data processors will force companies that control customers’ data to regularly evaluate their collection process.
The new regulations force companies to provide more information to individuals in regard to what data they are processing, and how. They are the only ones in charge of protecting that data, and for any transfer of that data that takes place outside of the EU.
GDPR also includes limitations in the way consent is used. With this new regulation, the individual that owns the data will need to grant his consent for each of the various data processing activities. In addition, he may erase them whenever he wishes.
This fact is stupendously beneficial, since persons will have greater rights, and it will be easier to have their data erased.
However, in case there is a data breach that affects companies, disclosing citizens’ personal data, lawyers have no good news for them, since the fines companies will be facing with GDPR may amount to 20 million euros, or up to 4% of their worldwide annual turnover.
But, how will Brexit affect the compliance with GDPR? In the event that Article 50 finally takes effect, UK companies will need to study whether the time and money spent in adopting GDPR brings profits or if it is, conversely, wasted.
Adopting this new regulation has major budgetary implications in IT, personnel, communications and governance, according to the ICO (Information Commissioner’s Office).
The continuity of GDPR in the UK after Brexit is an uncharted territory, so much so, that experts forecast two opposing situations:
The first one is for Great Britain to decide to completely get rid of GDPR after its exit from the EU.
In such a case, English companies will need to consider transferring data to other countries outside the European Union in order to later transfer data with countries within the EU.
As Ashley Winton, partner of Paul Hastings and expert in cyber law, explains: “My opinion is that United Kingdom companies will continue to enjoy a good freedom and laxity to transfer data to the USA after Brexit.”
Current UK laws allow the freedom to choose whether to comply or not when data is transferred to countries outside the EU. Companies can decide by themselves whether it’s OK to transfer data to another jurisdiction, according to the rules of the ICO.
Uncertainty is the main issue, since it is very difficult to know how the United Kingdom’s relationship with the EU would be after Brexit.
In light of this situation, some experts determine that it is the ICO who would have to set in motion some kind of standardized agreement with the rest of the EU in order to avoid making the situation even more complex.
Another thing that may happen after Brexit is for the GDPR to stay in effect for UK companies, even though it would no longer officially apply after its exit from the European Union.
In the event that Great Britain were to “relax” its data protection regime, being one of the main partners of the EU, would that be really beneficial to the country? Many experts doubt that.
Frank Jennings, a partner at Wallace LLP, argues that those companies that have complied with GDPR will surely keep complying with the regulation, even if the UK eliminated it or adopted a less-protective standard in regard to data transfer.
Compliance by Great Britain with the GDPR is a matter of time, since the companies that do not will see the trust of European customers start to dwindle and be questioned.
Meanwhile, all we, the citizens of the Eurozone, need to do is just wait to benefit from GDPR and to, finally, find out where the United Kingdom will stand after Brexit. If you want to know how to address the GDPR, contact us.
To be continued…