​GDPR: The Brexit Conundrum

25 May 2017

Author: Aaron Roddy

Our previous articles in this series looked at some of the new concepts introduced by the EU General Data Protection Regulation (“GDPR”) and some practical issues around its implementation by organisations as they get ready for the go-live date of 25th May 2018. Whilst we still have more questions than answers, in this fourth article, we consider some possible impacts of Brexit on the process of implementation.

Modern business requires mass movement of vast amounts of personal data around the world. A good example of the economic and political dependency on those data flows was the turmoil caused by the ECJ’s ruling that the Safe Harbour was invalid and subsequent concerns in the international community that EU Data Protection Law has gone too far.

There has been speculation from some quarters that Brexit will be an opportunity for the UK in that it could start relaxing its Data Protection Laws and thereby reduce the “red tape” around data flow in and out of the UK as a means of making itself a more attractive trading partner to prospective new international partners. However, most commentators believe that leaving the EU’s “safe data club” is more of a threat to the UK economy than an opportunity.

If the UK remains within the single market, EU rules on personal data might well continue to apply in the UK. In other scenarios EU rules might be replaced with national ones. The bottom line is that if the UK wants to continue trading with the EU and sharing personal data with member states or more importantly, handling the personal data of EU citizens, then it will need to be assessed by the EU as providing an adequate level of protection for that personal data.

The current expectation is that the Government will negotiate a national level solution. For example the UK might try to negotiate a bilateral data pact with the EU. This could take the form of a free-standing agreement under which UK companies could voluntarily agree to adhere to enhanced protections for data in order to be able to receive personal data from the EU.

One thing all of the options have in common, is that they’ll take some time to put in place and could involve some very challenging conversations with the EU.

The new Information Commissioner, Elizabeth Denham, has now made her first public speech since being appointed in July. As she points out, the GDPR will most likely become effective before the UK exits the EU. She has also confirmed her view that regardless of the form of exit finally adopted, the UK’s interests will probably be best served by continuing to align its Data Protection Law with that of the EU.

That being the case, organisations should continue to plan for compliance with the GDPR.

For more information on any of the matters detailed above or for general advice on or assistance with the new GDPR, please contact Dawn McKnight [email protected]. Dawn is a Partner at Carson McDowell and is head of the firm’s Commercial Practice.