Welcome to the next instalment of the TRU blog looking at the various aspects and elements of GDPR. This blog looks at the impact Brexit will have on GDPR within the UK following the UK’s departure from the EU on 29th March 2019.
There are numerous rumours in circulation that Brexit will not be relevant once the UK leaves the EU. This is not the case. GDPR will be enshrined in UK law and will still be relevant. In the Queen’s Speech (June 2017) GDPR was referenced as follows:
“To implement the General Data Protection Regulation and the new Directive which applies to law enforcement data processing, meeting our obligations while we remain an EU member state and helping to put the UK in the best position to maintain our ability to share data with other EU member states and internationally after we leave the EU.”
Shortly after the Queen’s Speech the Information Commissioner’s Office (ICO) published its 5-year strategy, which unsurprisingly mirrored the sentiments of the Speech. Amongst the highlights of the strategy was the statement on how the ICO would approach the global challenges presented by the impact on business (and the changes businesses would need to make) of advancements in technology and data protection. As this document was published following the Queen’s Speech the ICO had in effect stated that there were no plans to deplete the requirements of the GDPR.
Indeed the ICO also stated in the strategy document that both the ICO and the Government had the desire for the UK to be the leader in data protection legislation globally. This too implies that GDPR will not be overturned.
Should any doubt remain that GDPR is to be a longstanding piece of legislation can be found with further reading of the ICO strategy documentation. The ICO has an appetite for a strong relationship with the European Data Protection Board (EDPB) and for strengthening of bilateral relationships with individual EU states’ data protection authorities. This could only be effective if the UK were to be utilising the same base level of regulation.
The final piece of the GDPR – Post-Brexit jigsaw is summarised in a statement made by Elizabeth Denham – the Information Commissioner,
“…for the ICO to be seen as a ‘global data protection gateway.’ Effectively interoperable with various legal systems that protect international data flows…”
In summary Brexit, in whatever form it takes, will not have any influence on the day-to-day impact of GDPR, indeed the converse could be argued equally. Brexit will indeed strengthen the role GDPR is to play in the protection of personal data in the post-Brexit era.
May 25th 2018 is not the implementation date for GDPR, neither is it the finishing line, it is the date that legislation to protect personal private data comes into effect in the EU. It is actually the starting point of regulation that cannot have a finish data or a best before date attached.
Certainly GDPR will evolve as time passes and ever more stringent safeguards are required to ensure that our personal data is kept secure; today it is seen as an inconvenience in a few months’ time it will be seen as business as usual. The various definitions within GDPR will have been absorbed into everyday business language and organisations all sizes will be gearing up for another challenge, whether or not that will be IT based is far from clear, but as the Internet of Things (IOT) continues to grow one thing is certain more data than ever before will be ‘out there’ and Data Protection Managers in whatever guise will be tasked with ensuring that the data is secure, correct and available as necessary.