No Brexcuses: GDPR preparations must continue

Posted: July 26th 2016

Whether or not you voted for Brexit, whether or not you believe it’s a done deal, there’s one thing post-referendum that surely isn’t up for debate. For British companies wanting to trade with Europe, the bureaucracy of Brussels isn't going away. And that particularly applies to data protection. Some business people may well have heaved a sigh of relief on June 24th at the thought that GDPR (General Data Protection Regulation) the tough new European data protection regulation that was adopted in April 2016 and comes into force in May 2018 would no longer apply in the UK. That idea was based on the premise that the important thing is where the data is stored.

Unfortunately, that's not true under GDPR. What matters is whether the data concerns EU citizens, irrespective of where it is stored. Current UK data protection legislation comes from the Data Protection Act 1998, based on the 1995 Data Protection Directive. That will be superseded in Europe by GDPR less than two years from now. In other words, even if Article 50 were notified right now, GDPR would come into force before the Article 50 two-year post notification period runs out. Because GDPR is a Regulation and not a Directive, it does not require enabling national legislation to become law. That means it will apply in the United Kingdom, whether we like it or not. Even once Brexit is fully negotiated and implemented the chances are that the UK will either have to comply with GDPR or implement data protection legislation of its own that the EU deems adequate (i.e. the same or very similar) if it wishes to keep trading with the European Union. This is likely to be equally applicable to the Network and Information Security Directive which has until May 2018 to be implemented in national law.

So, if UK businesses have any ambition to continue selling to European customers, viewing Brexit as an opportunity to side-step data protection obligations is a serious mistake. Despite the GDPR’s short term disruption, the regulation is likely to have a positive impact on data security industry. It will accelerate the modernisation of Europe’s data security practices and enforce consistency of approach between EU member states. Nonetheless, it will require European business of all sizes to take a very close look at their security, including those in the UK.  From both commercial and practical perspectives, preparations must continue. Regardless of what you make of either Brexit or the GDPR, businesses in the UK have no choice but to keep pace with the regulation.