Whilst the decision by the people of the United Kingdom to leave the European Union has implications for the legislative framework for privacy in the UK, these implications are unlikely to significantly affect the need for organisations to adopt the General Data Protection Regulation (GDPR).
Reason 1 – The 2+ year negotiation phase…
Formal negotiations for exit won’t start until after Article 50 is invoked (which gives our official “notice” to leave the EU), and this now looks to be September 2016 at the earliest. During this mandatory 2-year MINIMUM period all existing legislation (including GDPR) will continue as before. Many forecast that this process might take much longer – with many estimates between 3 and 6 years. The GDPR is actually already law – and although organisations have a 2-year window in which to meet compliance, it would be unwise for businesses to assume that after this period there will no longer be a need to comply…
Reason 2 – Trading with the EU?
The GDPR applies to and can be enforced against organisations which process the data on EU citizens regardless of their nationality or location. It doesn’t matter if you are in France, Germany, the USA or India, the GDPR law (and its subsequent penalties) can be applied. Therefore, those UK-based organisations attempting to do business with EU citizens in Europe must comply with the Regulation. Failure to do so presents the risk of substantial fines – up to 4% of global turnover.
Reason 3 – We just trade in the UK therefore we’re ok – right? Maybe not…
With over 3 million EU citizens resident in the UK – and at least 2 million of these in employment – chances are your business may have data relating to EU citizens.
The GDPR is primarily concerned with processing personal information about individuals who reside in the EU (although the EU Parliament also seems to considers residence irrelevant), and offering goods and services to these individuals or monitoring their behaviour. However, who determines whether someone is a resident or not? Does a 2-month holiday in London by an EU citizen mean that they are a non-resident? Does the individual need to be granted residency status within the UK to be excluded from the terms of the GDPR?
Reason 4 – The Information Commission thinks so…
According to a statement on the 26th June from the ICO:
“If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the Single Market on equal terms we would have to prove ‘adequacy’ – in other words, UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.”
“Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary.”
This statement implies that our new Information Commissioner (Elizabeth Denham, who has a proven history of backing and enforcing consumer rights while encouraging transparency within business) is likely to encourage legislation that mirrors the requirements of the GDPR. It’s also worth noting that UK privacy professionals were key in shaping this legislation in the first place – and that the view of what constitutes good privacy doesn’t change simply because we chose to exit the European Union.
Reason 5 – Trade negotiations… an easy win.
Over the next few years the pressure to negotiate a strong trade deal with the EU will also drive the adoption of supporting “mirror” legislation – designed to minimise the barriers to continue trade. Some measures (such open borders) will be highly contentious, however, it is unlikely that improved privacy protection would be seen as such – in fact it’s an issue that many could openly support and encourage as an “easy win”, which would provide increased compatibility and security for UK-EU trade and improved protection for both groups of citizens.
Reason 6 – It needs doing anyway. It’s the right thing to do.
Most of the UK’s existing data protection legislation was written before the widespread adoption of the internet and the consequent globalisation of trade – and the collection of vast amounts of new data about data subjects. Internet based social media services such as Facebook and Twitter didn’t exist and currently enforced laws on data protection were not created to accommodate them.
It’s now easier than at any time before to build and infer much about individuals from the data they generate, often unknowingly, in their day-to-day activities. We are all entitled to a free and private life so we need laws that help protect us – and the legal framework prior to GDPR doesn’t cut it.
The GDPR, while far from perfect, does offer an improved model for data protection – and it is (perhaps arguably) the right and pragmatic for the UK to adopt similar legislation.
To Conclude
So while it’s true that we are going to be living in uncertain times for a few years to come it is likely privacy will still be high on the agenda. When the next high profile data breach or misuse happens (think TalkTalk), the public reaction is likely be the same regardless of “Brexit”. Ultimately the pressure for organisations to retain and build trust will remain – as will the pressure on regulators to govern.
Although the adoption of the GDPR as mirroring UK legislation is highly likely, we should also be aware that “Brexit” will leave the UK “on the outside” of developing future privacy legislation that may well apply to UK based organisations in practice. The review of the EU E-Privacy Directive has now started which is likely to affect how UK businesses can use data and e-mail, social media and other communications to reach EU citizens. It remains to be seen if we have influence over this in the next couple of years – and even if we do our voice will be less powerful than before.
[su_box title=”About Peter Galdies” style=”noise” box_color=”#336588″][short_info id=’82961′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.