Brexit statement: What happens next for Privacy & GDPR?

You are here

The long term impact of the UK's referendum decision to "Brexit" on the legislative framework for privacy is unlikely to be hugely significant.

After Article 50 is invoked which gives our official "notice" to leave the EU (which now looks likely to be after October 2016), there will be a mandatory 2-year MINIMUM period in which we remain a member of the EU whilst we negotiate an exit. During this time all existing legislation (including GDPR) will continue as before. Many forecast that this process might take much longer - with many estimates between 3 and 6 years.

The many organisations which already manage or contain personal data relating to EU/EEA state citizens (clients, prospects or employees) will continue to have to manage that data according to the requirements of the GDPR regardless of "Brexit", or they will be in breach of the GDPR and risk large fines - so for many organisations nothing will change – the GDPR will apply even when we leave.

According to a statement by the ICO on the 19th April 2016:

"The UK will continue to need clear and effective data protection laws, whether or not the country remains part of the EU.

The UK has a history of providing legal protection to consumers around their personal data. Our data protection laws precede EU legislation by more than a decade, and go beyond the current requirements set out by the EU, for instance with the power given to the ICO to issue fines. Having clear laws with safeguards in place is more important than ever given the growing digital economy, and is also central to the sharing of data that international trade relies on."

It is also highly likely that the UK (now with a strong new commissioner with a proven history of backing and enforcing consumer rights) will adopt a legislation directly modelled on the GDPR (as we will also need to do with the other legislations, such as worker’s rights and other similar good laws that protect the rights of the individual which will now need replacing).

The pressure to negotiate a strong trade deal with the EU will also drive the adoption of "mirroring" legislation - designed to minimise the barriers to continued trade. So while we are going to be living in uncertain times for a few years to come it’s likely privacy will still be high on the agenda - if a high profile data breach or mis-use were to happen after “Brexit” (and it probably will!) I believe that the public reaction would be the same - regardless of "Brexit" - and the pressure for organisations to retain and build trust will remain.

Ultimately we must continue to "keep calm and carry on."

Peter Galdies, Develoipment Director, DQM GRC