Britain is to leave the European Union, but the General Data Protection Regulation (GDPR), one of the most significant developments in EU law, will continue to be enforced in Britain—likely forever.
Despite breathless press coverage, Brexit has not yet happened. In fact, as events have shown, the British withdrawal from the European Union is a process, not an event.
Consider the timeline: on June 23, 2016, the United Kingdom voted by a slim, but convincing majority to leave the EU. Leaving the EU meant triggering Article 50 of the Treaty of Lisbon, which was not invoked immediately. First, then-prime minister David Cameron stood down, followed by a leadership campaign that was decisively won by the now-British prime minister Theresa May on July 13.
Ms May then waited a further eight months before triggering Article 50 on March 29, 2017. After that, she called a general election for June 8, 2017, while Article 50 itself is a two-year negotiation process that will not be complete until March 2019.
It is also still far from clear what form Brexit will take. Both a so-called “hard Brexit”, where Britain removes itself from all EU institutions and various degree of “soft Brexit”, from membership of the European Economic Area (EEA) and European Free Trade Area (Efta) to various forms of special relationships based on associate membership.
[cta link=”http://www.trc-solutions.com/gdpr-and-your-business/”] Download the Guide to GDPR Guide from TRC Solutions [/cta]
For now, the General Data Protection Regulation (GDPR), which is the most thoroughgoing development in European data protection regulation, will continue to apply in the UK—and most British business will have to deal with it for years to come.
First of all, as Theresa May has explicitly stated, once Britain leaves the EU all EU law will be immediately written into UK law under the auspices of the so-called “Great Repeal Bill”. In fact the bill will not repeal a single law. Instead, it will massively increase the number of laws in Britain.
Over time, Westminster will pick and choose those EU laws which it wishes to incorporate into law, slowly undoing those which the country no longer wants, but each law will have to be repealed individually by parliament. The noted solicitor and legal commentator David Allen Green said, writing in The Financial Times, that the Great Repeal Bill was, “in effect, be the greatest single imposition of EU law in UK legal history”.
Among that body of EU law will, of course, be the GDPR, which came into force across the EU bloc on April 27, 2016, and will be rigorously enforced from May 25, 2018. After May 2018, the GDPR’s sanctions—fines of up to €20 million (approx. £17.2 million), or four per cent of annual global turnover—will be imposed on companies found to not be in compliance. As a result of section 2(1) of the European Communities Act (1972), the UK has committed to accept and comply with EU laws made under the various EU treaties, and this includes the GDPR up until late March 2019. This timing means that the GDPR, which is already law, will apply in the UK, in practical terms, as an EU law for just under a year. Britain’s Information Commissioner’s Office (ICO) has made it clear that it will introduction the GDPR on time and that it expects those in the UK subject to the GDPR to comply with its terms.
The GDPR will not simply disappear after British withdrawal from the EU is complete, however.
Following the UK’s final exit from the EU, Ms May’s Great Repeal Bill means that the GDPR will then be re-written identically into British law. The terms agreed between the UK and the EU, which are, at present, far from clear, will affect the extent to which the UK as a whole continues to comply with EU laws and requirements. But even in a hard Brexit scenario, British businesses will not be able to ignore the GDPR—nor will EU businesses that currently use UK-based data or information services. Gavin Peacock, Group CEO of TRC Solutions says that Brexit cannot be used as an excuse to ignore the GDPR. “Anybody in the UK will need to adopt it anyway, but also if they have EU clients that’s it, it applies to them,” he said.
In fact, even if the GDPR eventually meets the Westminster chopping block, the majority of UK businesses will still have to abide by it—assuming they want to do business with anyone in the EU. The GDPR contains provisions for ensuring that the transfer of personal data pertaining to EU citizens to non-EEA jurisdictions can only be lawfully made in limited circumstances.
This is an issue that already has an effect on many businesses, as only a tiny number of non-EEA countries are viewed by the EU as having “adequate security”. Transfers to other countries, therefore, are heavily regulated, and once the GDPR’s sanctions are in place many businesses will face the prospect of being told they can no longer trade in the EU unless they abide by the GDPR.
Large multinational businesses may choose to relocate all data pertaining to EU citizens that is currently held in the UK to other EU member states. Smaller and medium-sized businesses that are based in the UK but sell abroad, however, will have no such option. In effect, any business that exports from the UK to any EU country will have to take account of the GDPR.
Likewise, any business based in an EU member state that currently makes use of any UK-based service provider, such as a cloud platform or data centre, could easily find itself in breach. A hard Brexit will also spur specific questions. For instance, if the UK ceases to be within the EEA once it leaves the EU, personal data transfers to the UK—even within a business—will come under the spotlight of EU authorities seeking to protect EU citizens.
Writing in The Register, Danny Bradbury pointed out that: “Companies hosting data centres in the UK will be dragged into GDPR compliance whether they like it or not”. Now is the time to implement a defensible GDPR strategy for your business.
[cta link=”http://www.trc-solutions.com/?page_id=232″ colour=”green”]Arrange a call with one of our SAP Business One Consultants[/cta]