In case you’ve been living under a rock for the past few months and have missed the announcement, the General Data Protection Regulations are set to come into effect on 25thMay 2018 – a mere ten months away! This means that the legislation will be in full force for almost a year before Britain’s scheduled departure from Europe.
But if we’re leaving anyway, will we still need to comply with the European GDPR?
There’s been a lot of confusion around Brexit and the new regulations, so we’re here to set the record straight: the rules will still apply, both now and going forward. And here’s why…
Rules for the past, present and future
Back in 1995, the EU Data Directive was created, which set out some very broad compliance stipulations. This meant that countries within the union could interpret them openly, factoring domestic and political demands into building their own legislation. For the UK, this resulted in the passing of the 1998 Data Protection Act.
But as we all know, technology has moved on a lot since then! So, while the rules could deal with the systems in place at the time, they failed to allow for any real advancements. Alongside the fact that the directive was open to interpretation, this technological oversight has led to significant inconsistencies in the laws governing data in our the modern, connected world.
Current media scaremongering surrounding GDPR might lead you to believe that the P actually stands for panic! However, all the legislation seeks to do is ensure these existing rules are up-to-date, clearly defined and the same in each country. Plus, unlike the previous directive, the regulations have a degree of “future proofing” built in.
The new rules are also extra-territorial, meaning that they extend to any organisation dealing with the data of EU citizens. This levels the playing field for companies providing goods or services to EU inhabitants, regardless of which country they trade or operate from, or whether they’re personally based in Europe or not.
So, what about Brexit?
While we’re still part of the EU, the UK will have to be GDPR compliant. However, this doesn’t mean we can suddenly start breaking all the rules the day after Brexit.
The regulations provide us with the ability to demonstrate that our protective measures are adequate. This means that if we show ongoing compliance with the legislation, we can be granted permission to the ‘Adequacy Protection’ list, which is where we’re likely to find ourselves post-Brexit. For us to actually fail this test, there would need to be:
- Material changes to our existing domestic data protection laws, or
- Rejection of and failure to comply with the GDPR.
And if such a failure occurred, this would result in one of two outcomes:
- The introduction of new laws that would enable us to join the list, or
- An increase in the use of Binding Corporate Rules and the implementation of Standard Contract Clauses between EU-based companies and those residing in the UK. Binding Corporate Rules must be submitted and approved by a Supervisory Authority – the ICO in the case of the UK – whilst Standard Contract Clauses are either defined by the European Commission, or adopted by a National Authority. Both of these increases would in turn result in more ‘red tape’, legal costs and cross-border trade impact.
While this might sound worrying, it’s widely believed that it’s unlikely to happen for a number of reasons:
- It’s doubtful that any political party will want to deal with the implications of reducing protection afforded to UK citizens.
- It’s also unlikely that the same government will want to be held accountable for any activities that could result in domestic or international product prices going up, which could be a consequence of GDPR non-compliance and companies having to balance trading costs.
- And it’s probable that this party won’t want to risk businesses relocating from the UK to other EU-based countries – where they’d have to put more controls in place – simply to reduce their overheads.
So, no matter how you voted, Brexit is the result of a majority believing that it’s “better to be out than in”. But even though we’re stepping outside of the EU, it’s essential that trade continues. This means that it’s highly unlikely that the UK government will do anything to put a greater burden on the UK digital economy – especially when it’s trying to demonstrate the benefits of leaving the EU.
GDPR is all about ‘good practice’ and about showing that you value the security of the data you hold on file. And any companies attempting to get around compliance with the Brexit excuse should realise two things – firstly, that it won’t be long until they’re caught; and secondly, that they should look at the deeper reasons underlying their fear of safeguarding their data.
If GDPR is still giving you a headache, why not let our certified practitioners put your mind at ease? We offer a range of services – including a FREE GDPR Workshop – so get in touch today to find out how we can help.