How do we attain this? By having equivalent data protection laws. In which case, we will still need to comply with General Data Protection Regulation (GDPR) standards.
Even if the UK does not aim for the lofty heights of equivalent data protection laws, many organisations in the UK will still need to comply with GDPR standards and here’s why:
If personal data is transferred to a non-European Economic Area (EEA) country, other than for ad hoc data transfers which fall within the ‘permitted transfers’ list, a mechanism such as Binding Corporate Rules or Model Contracts will need to be used.
For example, a company has shared HR services/systems. Servers are in the Netherlands but accessible from the UK. This will involve a personal data transfer to the UK. Model Contracts would need to be put in place (assuming they are still around by 2018 given Max Schrems is now also challenging Model Contracts before the Irish data protection regulator). Intra-group Model Contracts will involve commitments by the UK recipient to data protection compliance principles equivalent to those in Europe. From May 2018 that means complying with GDPR standards.
Read more on data:
- Barclays encourages UK SMEs to use big data for growth with new online service
- Companies that safeguard data privacy will reap rewards
- Security of personal data – are you complying with your obligations?
You will still be caught by the GDPR if you are not a member of the EU, even if you’re not receiving personal data from an EU country but you are targeting goods/services at a EU market or profiling personal data of data subjects in the EU. For example, a UK online retailer which sells to continental European consumers will still need to apply GDPR standards to use of personal data of European-based data subjects.
If you use service providers in any EU country, GDPR standards could also still apply. For example, if you use an IT service provider in Germany, you might not have an ‘establishment’ in the European Union, but could still be processing on equipment there by virtue of your German provider. By processing on equipment based in Germany, you could then still be caught by the GDPR (given this will apply in Germany from May 2018).
The chances are that many UK organisations will need to be GDPR-compliant regardless. Do not let post-Brexit uncertainty eat away at your GDPR compliance schedule.
Kirsten Whitfield is a director at Gowling WLG.