What happens to the EU GDPR if the UK votes Brexit?

Businesses are warned not to give up on data reforms just in case the U.K. leaves Europe.

As the U.K. prepares to vote on whether to leave the European Union, businesses are being warned not to give up on data reforms inspired by the forthcoming EU General Data Protection Regulation (GDPR).

Businesses across the country have been studying implications of the new Regulation, due to be in force in May 2018, which aims to create a ‘one-stop shop’ for data protection across the European Union.

Some of the key aspects of the bill include huge fines for data breaches, new rules around the collection of personal data and new rights for European citizens to ask for data be deleted or edited. Many businesses will also be required to appoint a Data Protection Officer.

However, the Brexit vote opens up the possibility that the U.K. could be out of the EU by the time it comes into force.

John Culkin, Director of Information Management at Crown Records Management, said: “It would be tempting for businesses to think that if the U.K. leaves the EU this regulation would not apply. In fact, that isn’t the case. Although an independent Britain would not be a signatory of the Regulation, in reality it would still be impossible to avoid its implications.

“The Regulation governs the personal data of all European citizens, providing them with greater control and more rights over information held about them. So any company holding identifiable information of an EU citizen, no matter where it is based, needs to be aware. With millions of EU citizens living in the U.K., too, it’s hard to imagine that many businesses here would be unaffected.

“The same applies to data breaches involving the personal data of European citizens. So it will still be vital to have a watertight information management system in place which allows businesses to know what information they have, where it is, how it can be edited and who is responsible for it.”

Even if the U.K. votes to leave the EU, data in Great Britain and Northern Ireland will continue to be regulated by the current Data Protection Act, which was passed in 1998.

A spokesperson for the Information Commissioners’ Office (ICO), an independent body set up to uphold information rights, said: “Although derived from an EU Directive, the Data Protection Act was passed by the U.K. Parliament and will remain in place after any exit, until Parliament decides to introduce a new law or amend it.

“The U.K. has a history of providing legal protection to consumers around their personal data. Their data protection laws precede EU legislation by more than a decade, and go beyond the current requirements set out by the EU, for instance with the power given to the ICO to issue fines.

“Having clear laws with safeguards in place is more important than ever given the growing digital economy, and is also central to the sharing of data that international trade relies on. The U.K. will continue to need clear and effective data protection laws, whether or not the country remains part of the EU.”

John believes there is a real danger that U.K. businesses will defer crucial reforms of their information management systems – just in case the Brexit vote in June changes the agenda. But he warns it is a big risk.

He said: “Businesses should be thinking about the benefits of good information governance rather than hesitating because of what could happen in the future.

“There is no point putting in place systems that ignore privacy by design, for instance, when that is good procedure – no matter what happens in Europe in June. The same is true of measures to protect a business from data breaches, which have reputational as well as financial implications – no matter who imposes the fine.

“As for personal data, citizens in the U.K. are only going to be more demanding about how their data is collected, stored and edited in future – the genie is out of the bottle and it’s not sensible to think that leaving the EU will change it. Preparing for a modern data world is not only about the GDPR.”

This a view shared by the ICO which will continue to ensure organizations meet their information rights obligations no matter how the U.K. votes.

 “Ultimately, this is a decision for organizations based on their own particular circumstances. Revisiting and reassessing your data protection practices will serve you well whatever the outcome of the referendum. Investing in GDPR compliance will ensure an organization has a high standard of data protection compliance that will enable the building of consumer trust.”