Implications of Brexit on GDPR

On June 23, 2016, the British public voted to “leave” the European Union (EU) in a highly anticipated referendum vote. This Brexit vote inevitably generated significant uncertainty as to how EU regulations such as the General Data Protection Regulation (GDPR) would apply to UK companies and enterprises. Now that a year has passed since the vote, the future of GDPR in the UK and what data protection regulations UK companies need to be cognizant of are more clear. Public statements by UK government officials and the Queen illuminate the UK’s commitment to strong data protection laws and adherence to GDPR requirements at least until the UK officially leaves the EU and a new Data Protection Bill is drafted domestically.

The bottom-line is that presently the UK government has acknowledged that the UK will not be leaving the EU before May 2018 when GDPR goes into effect. Therefore, UK companies, whether or not they process or control data on EU persons, will be subject to the regulations put forth in GDPR. However, the Queen and other government officials have made it clear that adherence to GDPR beginning in May 2018 does not preclude the development of and implementation of a stronger and more comprehensive Data Protection Bill unique to the UK that would replace the UK Data Protection Act of 1998.

Two government statements underlie this conclusion and reiterate the obligation of UK companies to ensure compliance with GDPR by May 2018.

Karen Bradley, Secretary of State for Culture, Media and Sport

In an appearance at the House of Commons on October 24, 2016, Secretary Bradley stated that “We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.”

The Information Commissioner’s Office (ICO)

The ICO has reiterated this perspective in confirming that “The GDPR will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.” ICO is also providing resources and guidance to help companies prepare for GDPR.

And even if the UK does leave the EU in the future, a new UK Data Protection Law is likely to strongly resemble GDPR as the UK had a prominent role in the drafting of GDPR and is committed to data protection and privacy. These points are reaffirmed by the Queen’s speech on June 21, 2017. At Parliament, the Queen communicated: “A new law will ensure that the United Kingdom retains its world-class regime protecting personal data, and proposals for a new digital charter will be brought forward to ensure that the United Kingdom is the safest place to be online.”

While the Queen is speaking about future ambitions, compliance with GDPR should be the primary focus in the interim. The ICO says it best: “We acknowledge that there may still be questions about how the GDPR would apply in the UK on leaving the EU, but this should not distract from the important task of compliance with the GDPR.”

On August 7, 2017, the UK Department for Digital, Culture, Media & Sport published a Statement of Intent outlining a plan to develop a new Data Protection Bill that would align UK law post-Brexit with GDPR. The Data Protection Bill would also include additional provisions to strengthen data protection such as two new criminal offenses.

Therefore, with less than a year until May 2018, it is imperative to begin or continue preparations within your company for compliance with GDPR or be willing to face significant penalties. As a cloud access security broker (CASB), Netskope is committed to assisting companies in this effort and will continue to provide advice and recommendations. To ensure effective cloud compliance and cloud security with GDPR, see our past blog posts about data storage and general advice and take a look at our GDPR Checklist to begin preparations for compliance. In the meantime, if you want to learn more about GDPR and the cloud, download our Managing the Challenges of the Cloud Under the New EU General Data Protection Regulation white paper.