The people of the UK have voted to leave the European Union and at the moment it is fair to say that the only certainty is uncertainty for the foreseeable future. However, when it comes to data protection – there really is no need to panic.
Q1: What happens now?
Short Answer: Not much.
Long Answer: Rome wasn't built in a day. There is a period of up to two years to negotiate exit after the UK "hands in its notice" (which is a political choice rather than an obligation) this is orchestrated by invoking Article 50 of the Lisbon Treaty. During this period, all existing legislation remains in force. The UK Information Commissioner's Office ("ICO") has emphasised the importance of clear laws given the growing digital economy and stated that it will be encouraging government to continue with the reform of data protection law. For now, the Data Protection Act remains the "law of the land".
Q2: Does this mean organisations can ignore the implications of the GDPR?
Short Answer: Absolutely not.
Long Answer: The General Data Protection Regulation ("GDPR") which will overhaul data protection legislation across the EU, is due to come into force in May 2018 (before the UK will be able to leave the EU). Further, the way the GDPR is drafted means companies doing business in Europe (whether they are from the UK, US or anywhere else) will need to comply with the GDPR and the risk for non-enforcement could be fines of up to 4% of annual turnover or €20 million – this is not to be taken lightly. Let's not forget the Network and Information Security Directive and ePrivacy Directive are also in the pipeline and pose their own threats (depending on your business).
Q3: What about the Privacy Shield?
Short Answer: It depends.
Long Answer: It depends…
In an ironic case of timing, the Privacy Shield text was concluded in the early hours of the Brexit vote and latest commentary suggests the Privacy Shield is on course to be finalised over the summer, so for now the UK will follow suit with the rest of the EU. If, following Brexit, the UK leaves the EU but remains part of the EEA, the UK will likely retain the Privacy Shield scheme as regards the transfer of data to the United States. If the UK leaves the EU without any trade agreement, anything could happen but the likelihood is that we would have to negotiate our own EU-UK version of the Privacy Shield to meet the EU's high standards on international transfer of personal data.
Q4: What should you do in the short-term?
Short Answer: Keep calm and carry on.
- Keep in motion any processes and changes to comply with the GDPR
- Evaluate your UK operations - what data flows between the UK and the EU and the UK and the US?
- Watch this space