On 21 June 2017 the UK Government revealed its legislative programme for the coming two years. As well as pressing ahead with the UK’s withdrawal from the European Union, the Government has confirmed its intention to bring the EU General Data Protection Regulation (the “GDPR”) into UK law, ensuring the country’s data protection framework is “suitable for our new digital age, allowing citizens to better control their data.”
Once the UK has left the European Union, the legislature will be able to make changes to the GDPR framework as it sees fit. Some post-Brexit changes will be inevitable as a matter of “mechanics”; for example, the role of the UK’s “supervisory authority” - the ICO -will have to change within the regulatory consistency and cooperation mechanism set out in the GDPR (the details of this will result from the negotiations between the UK and the EU).
The notes to the Queen’s Speech call out the UK’s ability to continue to receive personal data flows from the EU after Brexit – “helping to put the UK in the best position to maintain our ability to share data with other EU member states and internationally after we leave the EU”. In terms of international trade, it will be less about the UK’s ability to share data with its trading partners and more about our ability to receive data from the EU once the adequacy of our data protection legislation falls to be scrutinised in the same way as any other non-EU “third country”. This means that staying close to the rights and obligations contained in the GDPR should be the least disruptive data protection option for future international trade and should also “cement the UK’s position at the forefront of technical innovation, international data sharing and protection of personal data.”
What this means for businesses
1. Stay Calm and Carry On with your GDPR preparation!
The GDPR – or at least something substantially similar – looks set to stay. Whether your business is UK-centric or is global, the GDPR is very likely to impact on it in some way. With just 11 months to go until it comes into force, the focus should be on your GDPR readiness plan, and its implementation.
2. Keep international data transfers under review
Once the UK is no longer an EU member state, a method of ensuring adequate protection for transfers of personal data from the EU to the UK will need to be found – data will no longer be able to flow freely. This is not an insuperable problem but it is an additional burden that trading partners within the EU will not have to contend with. It is to be hoped that, by continuing to adhere to provisions equivalent to those in the GDPR, the UK will be able to achieve a formal adequacy decision from the European Commission without a lengthy delay, but this item will have to compete for attention on the European Commission’s crowded work agenda. This is already being anticipated and accommodated in contracts we are currently negotiating for clients and the position will need to be kept under review in the coming months.
3. Interactions with supervisory authorities
The GDPR recognises a “lead” supervisory authority, usually this is where an organisation has its main establishment. For international organisations with UK headquarters, this is likely to mean that the “lead” supervisory authority for GDPR purposes will alter. The GDPR brings the enforcement powers of all supervisory authorities up to the same, increased level – fines of up to 20,000,000 EUR, or up to 4% of annual worldwide turnover. However, relationships with regulators are of critical importance and the resources of each EU member state’s supervisory authority will not be equal. It may be prudent for organisations to start to consider – to the extent they have a choice – which should be their post-Brexit lead supervisory authority.