On Thursday 23 June, UK voters will decide whether to leave or remain in the European Union. With a number of opinion polls continuing to report a very tight race, businesses, government and regulatory authorities are preparing for both remain and exit victories. An exit vote will impact on laws and regulations for UK registered businesses and companies that operate within the EU, in a number of ways, but what about data protection?
Every UK business will still need to adhere to clear and effective data laws, even if the UK votes to leave the EU this summer. This analysis is based on a statement issued by the Information Commissioner’s Office in April 2016. The ICO says: “The UK has a history of providing legal protection to consumers around their personal data. Our data protection laws precede EU legislation by more than a decade, and go beyond the current requirements set out by the EU, for instance with the power given to the ICO to issue fines.
”Having clear laws with safeguards in place is more important than ever, given the growing digital economy, and is also central to the sharing of data that international trade relies on.”
Whatever the voting outcome, it is possible that the UK may remain bound by the General Data Protection Regulation (GDPR) which is set to become enforceable across the EU in 2018. The legislation, which is a more stringent version of the earlier 1998 Data Protection Act, sets out a strict set of criteria with any breaches potentially resulting in fines based on 2 percent or 5 percent of the company’s annual worldwide turnover.
First proposed in January 2012 by the European Commission, the ruless were formally approved by the European Parliament on December 15, 2015. The GDPR supersedes national laws such as the UK DPA, and is aimed at unifying data protection and managing the flow of personal data across all 28 EU member states.
Key features of the document include the right of individuals to be forgotten, the requirement for companies to make clear how data is to be processed and give consumers the option of selecting preferences. Organizations including companies processing more than 5,000 names each year must appoint a Data Privacy Officer (DPO). Entities will also be required to report serious contraventions of the law to the regulators and to anyone affected.
It is likely that even if there is a Brexit, every UK business offering services to EU member states, regardless of whether or not they hold any EU data, will still need to adopt more stringent rules than the UK Data Protection Act if they wish to trade within the European Free Trade Area (EFTA), like Norway, which has already adopted the GDPR legislation despite not being an EU member.
Predicting exact outcomes here is almost impossible, but the implications for data protection are that there will still be obligations for businesses to protect their customers’ data, just like there are now, with the additional complication of meeting certain EU data protection standards in order to trade within EFTA.
As a business, it is our job to support customers in the best possible way and try and help them navigate through a myriad of increasingly complex EU legislation.
Karen James is managing director of PHS Data Solutions, a division of the PHS Group.