IT'S A good question to ask, and one more question to add to the many that we will have after the EU referendum result.
The UK’s existing data protection framework is due to be replaced by a new European General Data Protection Regulation.
The regulation has a number of onerous changes which businesses will have to get to grips with.
We have just under two years to get ready for the new law which is due to come into force in the UK on May 25, 2018.
But should UK businesses bother now, given the UK’s impending exit?
Clearly negotiations with the European authorities could result in the UK agreeing not to implement the regulation.
However this seems extremely unlikely for a number of reasons:
- The implementation date of the regulation is significant. Any formal process to leave the European Union under Article 50 is going to take at least two years – well past the implementation date of the regulation. So, on the face of it, the UK would have to comply with the regulation for a period of time unless agreed otherwise.
- The law will already be part of the way implemented. The clock is already ticking down and the regulator charged with enforcing the current law and the new law, the Information Commissioner’s Office is unlikely to seek to lobby to wind the clock back. The regulation has taken four years to get to this stage.
- Businesses supplying goods and services to European citizens or where an organisation undertakes monitoring of European citizens (e.g. online tracking) are required to comply with the regulation even if they are not based in the Union. Therefore, organisations based in the UK will need to still comply with the regulation if they are trading with the EU.
- A key issue will be sharing personal data with Europe. The law prevents organisations from sharing data to countries outside of the European Economic Area (the Union Member States plus Norway, Iceland and Liechtenstein) unless adequate protection is in place. If the UK falls out of the European Economic Area, then steps will need to be taken to demonstrate “adequacy”. If the regulation is not implemented in the UK, then it could be very difficult to meet the hurdle of adequacy which could be another roadblock to continuing trade with the EU. The UK Government should be mindful not to inhibit our digital economy by not ensuring a level playing field of data protection law.
On this basis, we would be recommending that clients still continue reviewing their existing practices and procedures against the regulation.
Whilst there may very well be political uncertainty, the regulation provides a “best practice” benchmark for handling personal information.
Even if the politicians decide to not implement the regulation, the UK will still have a data protection framework through the existing Data Protection Act 1998 which is very much embedded in our law - let alone our culture.
For more discussion on the possible implications of Brexit on Employment Law policy and practice come along to the Annual Employment Law Conference on November 17, the largest event of its kind in the North-east.
It's an excellent opportunity for a comprehensive employment law update and a chance to network with other HR professionals at the same time.
The sessions include a mix of presentations, finishing with an interactive session looking at the ways to mitigate risk when dealing with whistleblowers in a collective redundancy situation.
- The annual Employment Law Conference takes place on November 17 this year at the AECC.
The full-day event equips delegates with the essential information, knowhow and skills to deal with the demands of employment law and personnel management in an enjoyable way in the company of fellow professionals.
You can also read blogs from speakers Toni McAlindin, Sandy Kemp of Clyde & Co, and Katie Williams and Euan Smith of Pinsent Masons