A consensus already appears to be emerging among legal commentators that many UK organisations will need to comply with the provisions of the European Union’s General Data Protection Regulation regardless of the progress of the UK’s path to Brexit.
The GDPR was due to be adopted by the UK in May 2018 after a long process of EU legislative reform. As soon as the UK officially leaves the EU, in theory it is possible that the GDPR could be ignored – data protection is already written into UK law in the Data Protection Act 1998. In practice, however, if the UK continued to be part of the European Economic Area then the UK would have to abide by GDPR.
Moreover, as Andrew Cormack points out, any organisation outside the EU that wishes to process the data of “data subjects who are in the Union” will also have to abide by GDPR (Article 3(2)). This would be relevant to a number of UK organisations who need to process the data of EU clients, customers, students etc.
Further, any EU organisation sending personal data to the UK as a non-member state would no longer be able to guarantee that there was “adequate protection” of data in the UK, unless the UK sought to obtain a declaration to the contrary.
The position of the UK vis-à-vis GDPR was summarised by the ICO in a statement published in response to the referendum result:
“If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the Single Market on equal terms we would have to prove ‘adequacy’ – in other words UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.”
It is likely, therefore, that elements of the GDPR will be incorporated into UK law however Brexit progresses. Both Anya Proops QC and Eduardo Ustaran argue that any UK business which provides services into the EU will need to understand and comply with GDPR.