What is the future of GDPR?
GDPR is the General Data Protection Regulation, due to come into force on May 25th 2018 across the EU, and will update, and in some ways replace, the UK’s own 1998 Data Protection Act.
As an EU Regulation, you might reasonably ask how the GDPR will be affected by Brexit – the UK filed Article 50 on March 29th 2017, triggering a potential two-year withdrawal period from the EU, and the commencement of the GDPR falls roughly in the middle of the negotiations.
The short answer is that until the UK leaves the EU, which could happen on March 29th 2019, or sooner if negotiations are concluded before then, any laws that apply to the EU are likely to continue to apply to the UK as a member state.
An unlikely exception to this is if, as part of the negotiations, the EU agrees to stop governing the UK’s laws ahead of time, but if anything it’s more likely that there will be an extended transition period during which the European courts still have some jurisdiction.
Who will GDPR affect?
The 2017 Queen’s Speech confirmed in no uncertain terms that the GDPR will be introduced into UK law and will continue to apply after Brexit, giving the UK a relatively stable platform of legislation for cross-border work with the remaining EU member states.
It added: “Over 70% of all trade in services are enabled by data flows, meaning that data protection is critical to international trade.”
All companies that collect and store individually identifiable data about customers will need to be aware of the incoming Regulation and how it changes your obligations on storing, retrieving and ultimately deleting that data.
The ‘right to be forgotten’ is possibly one of the most difficult parts to get right, as the government’s notes on the Queen’s Speech outlined:
“The new rules strengthen rights and empower individuals to have more control over their personal data, including a right to be forgotten when individuals no longer want their data to be processed, provided that there are no legitimate grounds for retaining it.”
It will be up to businesses to decide whether there ARE legitimate grounds – or even a regulatory obligation – to retain data, even if customers and other individuals request that it be deleted.
Preparing for GDPR
May 2018 is just eight months away and it’s important that British businesses continue to prepare for the introduction of GDPR – not only while the UK remains a member of the EU, but also beyond that date.
Being able to demonstrate compliance will help international companies to compete on a level playing field with those on the continent, without the GDPR being held against them after Brexit.
More importantly though, even after Brexit the GDPR will be copied directly into domestic UK law, so this is not an issue that will simply vanish in March 2019.
Complying with the GDPR means complying with domestic UK data protection law for the long-term future ahead, and will help to keep you on the right side of the ICO in the years to come.