Governance & Risk Management , Privacy
Data Privacy After Brexit: Keep Calm and GDPR On
UK Seeks Input on Exempting Some Aspects of EU Data Privacy LawRight now in Britain, three things remain certain: Death, taxes and having to comply with the EU's General Data Protection Regulation by May 25, 2018. Despite Britain being set to exit the European Union, however, U.K. legislators have promised to give a say to British businesses on how some provisions of the GDPR get enacted, as well as the shape of the country's future data privacy laws.
See Also: 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries
For anyone not acquainted with GDPR, it's already law, but not due to be enforced until the May 25, 2018, deadline. And Britain's data privacy watchdog, the Information Commissioner's Office, has made it clear that Britain - as with all 28 EU member states - must comply with GDPR by that date, or face the threat of related enforcement and fines.
Related sanctions can be severe. Under GDPR, EU countries can impose fines of up to 4 percent of a company's global annual profits, or €20 million ($21.3 million) - whichever is higher. That's a sharp increase from the maximum fine of £500,000 ($640,000), for instance, that the ICO can currently levy.
"However, the regulation leaves it up to each EU country to determine 'whether and to what extent' fines can be imposed on public-sector organizations in their jurisdiction," according to an analysis published by Marc Dautlich and Kathryn Wynn, both attorneys who specialize in information law at law firm Pinsent Masons.
Private-sector firms, however, will face the threat of maximum fines for the most egregious violations. In addition, GDPR applies to any organization, anywhere in the world, that holds data on Europeans.
Full Brexit Will Follow GDPR Deadline
Britain, of course, is in the midst of exiting the EU, but that won't take effect until after GDPR begins getting enforced. Until Britain concludes its exit negotiations with the EU, which likely won't happen before 2019, legal experts say EU laws will continue to apply in Britain.
With Britain moving to formally sever itself from the rest of the EU - what's left is being referred to as EU27 - some of its own laws will need updating, for example to remove anything that refers to an EU law or previous treaty, because those will no longer apply in Britain.
"We are keen to ensure that data flows are unhindered," Matt Hancock, the U.K.'s minister of state for digital and culture, told the House of Lords EU Home Affairs Subcommittee on Feb. 1. He says that ensuring U.K. businesses can still collect and store Europeans' personal information will require that "an appropriate data protection environment" - signed off on by the EU - would have to be agreed and in place by "the morning we have left the European Union."
The mechanism for making that happen will involve Britain's Data Protection Act, which controls how people's personal information can be used organizations, businesses or the government.
Coming Update: Data Protection Act
One of the challenges facing Brexit Britain is ensuring that the Data Protection Act will require U.K.-based organizations to secure Europeans' personal data in a manner that's sufficient to meet GDPR requirements.
"Parts of the Data Protection Act will need to be repealed for data processing to be in scope of the GDPR and it is necessary to ensure that we don't end up with the Data Protection Act duplicating or creating inconsistencies with the GDPR because the GDPR will be directly applicable, so we will be bringing forward legislation in the next [parliamentary] session in order to put that into practice," said Hancock, who's also the Conservative MP for West Suffolk in England.
But he refused to speculate on exactly what changes might be made, saying that it would be part of the focus of Britain's upcoming negotiations with the EU, over the terms of its exit as well as future relationship.
Government Seeks Derogation Input
The British government has also called for views on GDPR derogations - exemptions - because Britain has some discretion in how it must apply certain GDPR provisions. Such areas include sanctions and third-country transfers, processing of children's personal data by online services and sensitive personal data and exceptions, amongst others.
"What steps should the government take to minimize the cost or burden to business of the GDPR?" its related consultation document asks. The deadline for related comments is May 10.
Legal experts say that Britain's future data privacy law will likely resemble GDPR. The ICO, for example, has said that GDPR is a fair and comprehensive law, and noted that if Britain wants to do business with the EU in the future, it must have a similar law on the books (see Irony Alert, Brexit Britain: Comply With EU Privacy Law).
"The fact is that, in many areas, if we do not comply with EU law, we will not be able to trade with the EU," according to an analysis published by international law firm Taylor Wessing. "Areas of law which are particularly unlikely to change include data protection, consumer protection, financial services and product liability."