Stay Calm and Keep Compliant: UK Brexit Data Protection Implications

The UK has voted to leave the European Union in the referendum of 23 June 2016.

Brexit, what now?

While the consequences of this result on the UK's data protection regime will stem largely from how the UK Government chooses to maintain its relationship with the EU and how the UK legal regime will be untangled from the EU framework, the take-home message is clear: stay calm and keep compliant.

It is likely that Article 50 of the Lisbon Treaty 2009 will be invoked, enabling the UK to withdraw from the EU. However, this exit process will take an initial two year period (and possibly much longer). Therefore, for the next two years at least, the UK remains part of the EU and must remain compliant with data protection and privacy laws.

The 'two' year negotiation period for the Brexit and the two-year transition period for the EU General Data Protection Regulation ("GDPR") will, to some degree, run at the same time. The GDPR will be directly applicable in all EU Member States as of May 25, 2018, potentially before the two - three year period during which the exit will be negotiated. 

Keep Compliant

UK companies will therefore have to prepare for and start to comply with the GDPR notwithstanding Brexit.

Additionally, even though the UK would be outside the EU (and possibly EEA), UK companies may still have to comply with the GDPR from 25 May 2018 if they monitor the behaviour of, or offer goods and services to, citizens in the EU/EEA from the UK (as any other non-EU/EEA company, due to the extra-territorial scope of the GDPR).

Therefore for as long as Europe continues to be an important trading block for the UK, the EU's data protection requirements will continue to be of relevance, both economically and politically, to the UK.

Many questions remain, including whether the UK will be granted adequacy status by the European Commission and the timeframe for that as well as the impact on the UK of the "One-Stop Shop" concept being introduced by the GDPR. We will continue to track and update on developments as they unfold. It is clear however that EU data protection requirements will continue to impact UK businesses and operations, whether directly or indirectly.

Above all else, continued compliance with high standards of data protection law is not only important for ongoing European trade, but to maintain the consumer and employee trust, which is essential in the digital age. 

Stay Calm

To conclude, a quote from Lord O'Donnell, summing up how the UK and the EU must co-exist in the future:

"Divorce can sometimes be painful, but it does not have to be messy. The secret to breaking up is the same for states as for people - good planning, good sense and an ability to learn how to live and trade together in a shrinking world."

For further views and to keep up to date as the situation unfolds you can view our dedicated Brexit website here and our Brexit blog here. 

We have also prepared a Checklist which outlines the core questions for the moment.