Business Law & Compliance

What does Brexit mean For EU data protection laws?

10 min read

08 August 2016

As far as the data protection landscape is concerned, Brexit couldn't have come at a more challenging time – some might say fortuitous time. That being said, David Lello, director of Burning Tree, examines all the implications and deals with some of the arising issues.

Image: Shutterstock

Earlier in 2016, the EU regulators adopted a new EU data protection framework, which will come into force in all EU countries on 25 May 2018. It takes the form of a regulation, which means it is binding on all member states, without the need for national legislation. The new General Data Protection Regulation (GDPR) replaces the current directive and places new and heavy obligations on those affected. In order to comply, all relevant firms within the EU will need to invest considerably. But before we look at the likely impact of Brexit on these new rules, let us take a brief look at what is involved here.

Data processors outside the EU – The new GDPR includes all data controllers and processors that are located outside the EU, if some (or all) processing activities are directed at data subjects within the EU. Under current legislation, this is not the case. Under the new rules, many external organisations will be required to appoint a representative in the EU.

Expanded role for data processors – The new rules impose onerous obligations and responsibilities on data controllers. These include:

  • Carrying out a risk assessment on processing procedures. Controllers must implement new procedures, identify high-risk operations and consider the potential risks. There are significant fines for getting this wrong;
  • Implementing data protection by design and by default – Ensure that privacy for data subjects is properly protected;
  • Keeping a detailed written record of processing activities carried out by each controller;
  • Appointing a Data Protection Officer, (DPO) if the processing is carried out by a public authority, or is considered to be on a “large scale”;
  • Appointing an EU representative if the organisation is not established in the EU;
  • Notifying any data breach to the Data Protection Authority (DPA) within 72 hours. In most circumstances the breach should also be notified to affected subjects without undue delay;
  • Providing information to data subjects at the same time as the data is obtained. Existing procedures that provide for “fair processing notice” will need to be checked, as the new requirements in the GDPR are much more detailed and demanding; and
  • Obtaining the consent to the processing of a subject’s personal data. Consent must be as simple to withdraw it as it was to give in the first place. Explicit consent must be obtained for the processing of sensitive data. Existing consents will only apply if they comply with the new conditions

Fines – A tiered penalty system has been established, ranging from fines of two per cent of worldwide turnover plus €10m for each breach, up to four per cent – five per cent of turnover and €20m for each breach.

New European data protection board – An independent EDPB will be set up to replace the existing “Working Party”. Its obligations will include providing opinions and guidance, and ensure the consistent application of the GDPR.

Binding corporate rules – BCR’s must be legally binding on every member of the group of undertakings/enterprises, inside or outside the EU, including staff.

International transfers of data – The issues of a “safe harbour” have not yet been fully resolved, but the new regulations include many new requirements, such as whether data subjects have been properly informed of the risks of transfer.

Data subjects’ rights – The new regulations considerably reinforce individuals’ rights as can be seen from the foregoing. It includes the right to have access to subjects’ data, the right to restrict or object, the right to receive back their data in a commonly used format, and the right to erasure and to “be forgotten”.

Read on to find out how Brexit and GDPR will affect firms within the UK.

Brexit will probably have little effect on the need to comply with the new GDPR. Most firms doing business internationally should already be taking preliminary steps to comply. Even before the results of the referendum were known, the UK’s Information Commissioner’s office issued a statement that “the UK will continue to need clear and effective data protection laws, whether or not the country remains part of the EU.”

More recently, the ICO stated: “The Data Protection Act remains the law of the land irrespective of the referendum result.If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the single market on equal terms we would have to prove ‘adequacy’. In other words UK data protection standards would have to be equivalent to the EU’s GDPR framework.”

Much will depend on the negotiations that precede Brexit. But whatever is finally agreed, the fact remains that the UK will still be an EU member in May 2018, when the new regulation comes into effect. So the ICO statement and the likelihood of fines for non-compliance are two good reasons why UK should take the GDPR seriously. But there is more.

As the ICO states, if companies in the UK wish to continue to trade with the EU, they really will have little choice but to comply. What are the benefits and/or alternatives to non-compliance with GDPR?

“DP haven”? – Some have talked about creating a “data protection haven” to attract business to the UK. But it is difficult to see how the UK could get away with implementing privacy laws that are not substantially similar to the GDPR. The EU already has regulations regarding the transfer of data from the EU to other countries, and they are currently engaged in a protracted dispute with the USA over the issue of US data flows. 

“DP Light”? – Others have talked about the UK reviewing all its data laws on data protection and that the UK should move to a much “lighter regime”. We would then need to convince the EU that our new, alternative regulations are acceptable.

But if the UK tried to avoid some of the more onerous provisions of GDPR, the UK could win their agreement. The UK and the Commission have a long history of disagreements concerning the implementation of data protection laws to the standards required by Europe. The recent invalidation of “Safe Harbour” clearly indicates the likely approach of the Commission. If it has to make an assessment of the UK’s post-Brexit new data protection regime, the UK is already pushing at the limits of what is permissible under current EU DP law. It is unlikely to succeed with anything much short of total compliance.

If the UK wants to position itself as a global hub for international business, technology, data, science medical research and so on, it will have to be very circumspect in finding the right balance in their post-Brexit DP legislation. It will have to keep the EU happy, as well as being able to deal on an equal footing with the rest of the world. In view of all this, I reiterate what I stated at the top of this article. Businesses and undertakings in the UK will be well advised to commence initial planning for the introduction of the main provisions of the GDPR, if they have not already, and keep a close watch on events.

David Lello is director of Burning Tree.

It has taken over three years of discussions, across multiple levels, but the principles of the new EU Data Protection Regulations have finally been agreed. The regulations will replace the current EU Data Protection Directive and aim to harmonise the data protection and privacy landscape for all members of the EU.