A number of our clients have asked us recently about how Brexit will affect the implementation of the General Data Protection Regulation (GDPR). This, for those of you who don’t know (where have you been?!) is a new EU data privacy law that came into effect in May of this year, and which you can read about in gory detail here.
While it is true that the UK is on track to leave the European Union at the end of March 2019, this is no reason to think that it will suddenly become exempt from the regulation. Of course, post-Brexit, GDPR will no longer directly apply to organisations in the UK, as it is an EU law. Similarly, UK citizens, who are due to lose all their rights as EU citizens, will no longer benefit from the protections GDPR offers.
Avoiding a giant headache
However, the UK, like the EU, recognises the need for this new legislation. Indeed, it has already drafted, and is implementing, its own version of the GDPR, known as the 2018 Data Protection Act. This updates the country’s existing data protection regulations to conform to the new GDPR standards.
The 2018 DPA is more or less a direct cut-and-paste job, putting the EU law onto the UK statute books. And while it may be true that, post-Brexit, there is nothing to stop the UK parliament making whatever changes it likes to the legislation, in practise it is highly unlikely to ever do so.
This is because the GDPR has strict rules concerning the transfer of data from an EU member state to a third country, as the UK will become. If the UK were to deviate from the GDPR, it will create massive issues for UK-based companies who have clients, suppliers or partners in the EU. It is therefore in the UK’s interest to follow the EU’s lead and maintain the same data privacy standards as its continental neighbours.
It’s about your data, not about you
The crucial point about the GDPR though is that it doesn’t care where the data holder is, or who they are. What it cares about is the subject of that data. It applies to all companies on Earth who have EU citizens as customers, including those in the UK.
This is a point that is well-made in this article from Privacy Sense:
“To trigger application of the GDPR you do not need to be handling the data yourself. Your data does not need to be stored in the EU. Your data does not need to be handled on your behalf by someone based in the EU. It sufficient for your data to be about EU individuals.”
To sum up
The GDPR is an EU law, but with a global reach. With or without Brexit, all UK companies with clients, suppliers, or partners in the EU will need to adhere to it. Basically, Brexit or no Brexit, there’s no getting away from the GDPR!
IMPORTANT: This article does NOT constitute legal advice, which Port 80 Services is in no way qualified to give. We strongly recommend seeking professional legal advice to ensure you comply with the GDPR.