Brexit: Data Protection
The Minister of State for Digital and Culture has confirmed that the General Data Protection Regulation will come into force as planned in 2018, contradicting the statement made earlier by his boss, the Secretary of State for Culture, Media and Sport. What was missing from the Minister’s statement, however, was any indication as to how rigorously the Information Commission will enforce parts of the Regulation in the intervening period between its implementation and completion of the Brexit process.
“A towel, it says, is about the most massively useful thing an interstellar hitchhiker can have”, wrote Douglas Adams in The Hitchhiker’s Guide to the Galaxy. So useful, in fact, that fans of the book have named 25th May as ‘Towel Day’ in commemoration.
And it is on Towel Day in 2018 that the General Data Protection Regulation is due to come into force in the UK, from when a towel may become the second most massively useful thing behind an intimate, working knowledge of the Regulation. As on this date, the UK will most likely be at an advanced stage in its departure from the EU, so although the protection Regulation may be less popular, it will be of much more importance to UK business.
This blog isn’t a summary of the Regulation and its content – that is another exercise entirely. Rather, this is an attempt to answer the question as to whether UK businesses need to worry about getting to grips with the Regulation considering the conflicting messages on the future of the General Data Protection Regulation.
When 17.4 million people voted ‘leave’ in the referendum on 23 June, it set into action a chain of events culminating in the UK’s departure from the EU in the year or two that follow the Regulation’s introduction.
While there is much that remains unclear about Brexit, one thing is certain – the UK will still be in the EU on Towel Day 2018 … er, the day the Regulation is introduced into EU law. And therefore, in May 2018, UK businesses will need to be operating in accordance with the Regulation.
Unless, of course, the UK Government and the Information Commission decide to ‘turn a blind eye’ to the Regulation on the basis that, two years after Article 50 is triggered, the Regulation will automatically cease to apply in the UK. The upshot of that circumstance is that we may have a short-period where the existing Data Protection Act of 1998 is overridden by the Regulation, only for the Data Protection Act 1998 to return to eminence once Brexit has finally taken place.
It is also possible that the UK Government will decide to voluntarily continue to adopt the terms of the Regulation. In which case, the Data Protection Act 1998 won’t be coming back.
With many different scenarios which could come into play, this is a complex situation that has many permutations that make business planning tricky to say the least.
At BPE, we are here to help make the complex simpler, so here’s what we think will happen.
In September it was announced that the Regulation will come into force in the UK, overriding the Data Protection Act of 1998 in May 2018. However, the Minister of State for Business Energy and Industrial Strategy (which includes responsibility for data protection), Baroness Neville-Rolfe, has recently admitted that the GDP Regulation might never actually come into force in UK law, despite the fact that the GDP Regulation becomes effective in May 2018, at which time the UK won’t have left the EU. Or, if it is introduced, there is a strong possibility that the Regulation will not be enforced too rigorously in the period between its introduction and the UK’s exit from the EU, and once the UK’s departure is finalised, we could end up with some hybrid of the existing Data Protection Act and the new Regulation.
The UK’s Information Commissioner, Elizabeth Denham, has stated that the GDP Regulation will come into force in the UK, at least for the period between May 2018 and Brexit, and thereafter the UK will look to ‘evolve’ the law over time. If the UK wants to trade in the Union, we will need laws that, even if not entirely reflective of the Regulation, offer EU citizens at least equivalent levels of protection. So, that’s helped clear that up, then.
Undoubtedly, the future will only get clearer over the course of the next two-to-three years, but in the meantime, some sensible preparation will surely be worthwhile in the long run.
BPE’s advice to business is therefore (for the time being at least) to start putting measures in place to comply with the new Regulation, and in particular to be aware of the fact that:
• the Regulation encompasses data controllers outside of the EU
• in some circumstances, there will be a need to appoint a statutory Data Protection Officer
• a paper trail must be maintained to demonstrate compliance
• data processors, for the first time, will have direct statutory duties (rather than just being liable to their data controllers)
• more onerous conditions will be required in order to get data subjects’ consent
• there will be a need for more detailed ‘fair processing notices’
• there will be additional obligations in relation to children’s data
• subjects will be entitled to the new ‘right to be forgotten’
• there will be a duty to report data security breaches to the Information Commission.
Against the backdrop of ensuring the above measures are at least discussed, businesses must also be prepared for the possibility of the UK Government announcing plans for a Data Protection Act 2018 which, whilst it may borrow parts of the Regulation, will doubtless look somewhat different. There may also yet be a legal challenge to Brexit, and the UK may not leave the EU. In which case, the future of data protection in the UK will be the new Regulation.
As one legal publisher put it: “Will that be the rock, or the hard place, sir?”
These notes have been prepared for the purpose of an article only. They should not be regarded as a substitute for taking legal advice.