How the biggest economic change to the UK affects EU data protection laws
As of May 2018, the General Data Protection Regulations (GDPR) now govern all data processing involving European Union citizens. However, following the UK's decision to leave the bloc, the government will be actioning its plans to split from the EU, which is provisionally set at 29 March 2019.
Although GDPR is a European Union law, and we will no longer be part of that political body (of course, physically, we're still part of Europe), GDPR will still apply if you have any dealings with the rest of Europe at all.
GDPR technically won't affect British citizens in the same way as it will, for example, French, German or Italian citizens, as the UK operates under a revised Data Protection Act. However, the DPA 2018 is essentially a tweaked version of GDPR, a deliberate act to maintain regulatory alignment post-Brexit, and so all the same principles and guidelines will still apply, including those new hefty fines.
It's also highly likely that your business has dealings with European citizens, whether direct or indirect. You may (even unknowingly) hold European citizen data and therefore, it must be protected as per EU rules.
Will the UK follow the EU’s GDPR?
While the UK is removing itself from the EU’s legal framework, it will continue to stand by the GDPR for now. At the time of writing, it's not known what the final relationship between the UK and EU will be. Various models have been discussed, and discounted, by the UK.
According to the regulations themselves, the transfer of personal data to a non-EU country is prohibited unless that country has “an adequate level of data protection”. The UK can ensure it meets that "adequate level" by maintaining GDPR's rules.
Post-Brexit, the UK likely won’t be subject to decisions by both European Court of Justice and of the European Board of Data Protection. In addition, the UK Information Commissioner's Office (ICO) will no longer participate in the European Data Protection Board, losing influence on interpretations of law and decisions within the EU.
Preparing for GDPR and Brexit
Organisations should have carried out their GDPR compliance well before this piece of regulation came into force. In order to continue trading with as little disruption as possible, organisations need to show they have adequate measures in place for their customers’ data.
Brexit does not give organisations any get out clause, especially those ones who will continue to hold the personal data of EU citizens going forward.