EU referendum: no excuse to put off data protection preparations

Don't wait until after the EU referendum to start preparing for the new EU data protection regulations, advises Sarah Thompson, lawyer with international firm McGuireWoods.

The EU General Data Protection Regulation (GDPR), which replaces the current Data Protection Directive, is due to come in in 2018. But any employers hoping that Brexit will remove the requirement for compliance with the GDPR will be sadly mistaken.

Brexit resources

Podcast: Potential employment law implications of a Brexit

What might happen to TUPE when the UK leaves Europe?

EU referendum: how to get ready for a potential Brexit

Whether we are in or out, the likelihood is that companies processing personal data will still need to observe the EU's new data protection law, or equivalent UK legislation.

Of course, assuming we do vote to leave, the impact of Brexit on businesses and their processing of personal data will depend on how the Government decides to maintain our relationship with the EU.

We also know that the vote on 23 June will not mean that we leave the EU immediately and revoke all EU laws. There will be a two-year exit period during which negotiations will take place over the terms of the exit, and various transitional measures would have to be put in place.

As it stands

The UK's current data protection regime is governed by the Data Protection Act 1998, which implemented the European Data Protection Directive into national law.

The GDPR is all set to be published this summer and will be applicable two years later (likely May 2018). It will harmonise data protection laws across all EU member states and will catch not only EU companies, but any company targeting EU citizens.

The excuse that a company does not have operations or processes personal data in the EU will not stand. Deciding if the GDPR will apply will depend on whether or not a business handles personal data of EU citizens, not whether or not it is located in the EU.

While the GDPR is similar in some parts as the current law, it does contain some significant changes.

These include new accountability obligations (including obligations to keep data processing records, appoint a data protection officer and conduct impact assessments for more risky processing) and new data breach reporting obligations.

It also imposes eye-watering fines for those who do not comply (up to 4% of annual worldwide turnover). Therefore, companies waiting for the results of the referendum could find themselves short on time to implement compliance programmes before the 2018 deadline.

How Brexit would impact the law

Whatever happens in June, there will still be changes to the UK's current data protection law. If we stay, we will be governed by the GDPR once enacted. If we leave, UK companies operating in EU countries or targeting EU citizens will still need to comply with the GDPR, but what is not yet clear is the nature of the UK's own data protection law.

Businesses may hope that the Government enacts a new, less burdensome, data protection regime in the UK. Whether Brexit happens before or after the GDPR comes into force may determine its exact form.

However, it is likely that the UK would need to enact similar data protection laws to the GDPR. This is largely due to the restrictions on international data transfers.

In order to transfer personal data outside the European Economic Area (EEA), the recipient country must ensure an adequate level of protection, taking into consideration the data protection laws in force in that country and its international commitments.

So to enable free data transfers with the EEA, the UK would either need to become a member of the EEA or seek confirmation from the EU Commission that the UK is a "safe third country" to receive personal data from the EEA.

Either of these options would require that the UK data protection legislation to provide a level of protection essentially equivalent to that guaranteed by the GDPR.

If the UK does not become a member or the EEA or is not categorised as a "safe third country", UK companies that transfer data to the EEA will need to consider changes to the way they transfer that data, which could include the implementation of standard contractual clauses or binding corporate rules, and could be a burdensome process.

What does this mean for businesses?

If a leave vote occurs on 23 June, it is unlikely that it would create significant changes for businesses processing personal data in the UK. The UK will likely impose similar laws to those being enacted under the GDPR, at least for data transferred to and from the EEA.

In any event, UK businesses established in EU countries or who target EU citizens will still have to comply with the GDPR. Therefore, whether we stay or go, the best course of action for businesses is to continue to prepare for the GDPR; they need to be reviewing their existing compliance programs to make sure they can be updated or new ones implemented.