The decision of UK voters to leave the EU has thrown up numerous questions for companies around compliance with EU regulation. Data protection is no exception.
Put simply, Brexit complicates the compliance duties of companies that deal with UK/EU data, whether customer, consumer, marketing, sales, employee, business partner or otherwise. There may also be a mistaken belief that since this is incoming EU legislation, there is now no need to comply.
A key takeaway is that, despite the planned exit, there are a number of reasons as to why it is still crucial that businesses continue to focus on making the internal changes they need to be making to get ready for the new EU General Data Protection Regulation (GDPR).
With EU Data Protection fines confirmed at up to four per cent of turnover or €20m (£16.7m), non-compliance presents a real risk to businesses. The new rules will most likely also apply before any exit (so will have a direct effect on UK businesses) and even after any exit the rules have been deliberately drafted to catch any businesses, wherever in the world they may be, if they target or deal with EU customers.
In short, continued efforts to comply with the recently firmed up privacy by design and other requirements are absolutely the Commissioners’ guidance and businesses should take heed to avoid the prospect of large fines.
So exactly what will UK Data Protection Regulation look like in a post-Brexit world and what should businesses be doing to prepare? Any speculation at this point is just that – speculation. Businesses will therefore need to keep an eye on not just the changes needed to deal with the GDPR, but also any exceptions or variations that may be introduced specifically for the UK.
Discussions with EU privacy commissioners in recent months (including the UK Information Commissioner) about the possibility of Brexit have made clear that any updated UK-specific data protection legislation will likely closely mirror EU data laws to ensure "adequacy" status. Therefore, the recommended actions to comply should still be the focus for businesses and should assist in preparing them for UK-specific compliance.
There of course may be future “wrinkles” that will be the icing on the cake in terms of UK data protection requirements post Britain’s exit from the EU, but GDPR compliance now will likely save businesses a headache in the long run.
Beyond the macro level, individual businesses are best advised to take steps now to review and action changes to internal processes, terms and policies to meet the new privacy by design requirements. The advice for international companies is also to check with UK counsel to clarify additional nuancing on top of EU-centric compliance. Certainly, burying your head in the sand would not be wise and could prove very costly.