After what has felt like an extremely long period after the Brexit vote, the UK has now officially ‘left’ the European Union. And, putting political arguments aside, there can be no doubt that it has led to a great deal of confusion surrounding how EU laws and regulations will now affect the UK. One of the areas of confusion is data protection.
The EU brought in new rules surrounding data protection under the General Data Protection Regulation (GDPR) in May 2018 and it was generally understood that the UK would still need to abide by the rules even after Brexit. However, the reality is that things got a little bit more complicated, and it is currently the situation that there are two forms of the GDPR in effect in the UK.
The new so-called UK-GDPR took effect on Exit Day, January 31st 2020. This is because EU regulations are no longer the appropriate legislation in the UK, but businesses will still need to abide by specific rules, and these are currently the UK-GPDR. But of course, the EU’s GDPR is still relevant as it continues to affect UK businesses who process the data of EU businesses and customers.
This has the potential to get complicated, however, so it is important to understand how the UK-GDPR could affect British businesses.
What is the UK-GDPR and how does it differ from the EU version?
The first thing to note is that the UK-GDPR is actually the same law as the EU GDPR with slight changes that relate to domestic British law. This means that at its core, this is the same legislation, making things very simple for businesses in the UK that work in full compliance with the EU GDPR, as they can continue operating as they did before.
However, there are some differences. Specifically, the UK-GDPR actually expands the remit of the European GDPR adding issues surrounding national security, intelligence services, and immigration. The UK-GDPR specifically puts in exceptions so that the protection of personal data can be bypassed if it is a matter of national security or immigration.
Another major difference is that the UK-GDPR brings down the age that the law covers to 13, from 16 in the EU GDPR. This is to ensure that the law files in line with the UK’s Data Protection Act.
Additionally, the UK version of the regulation now has the Information Commissioner’s Office (ICO) as the leading regulatory and enforcement body for the UK-GDPR.
Brexit is far from over – and it is causing data issues
It is important to note, of course, that despite the rhetoric of Prime Minister Boris Johnson, Brexit is far from over – this means that things could change significantly. Specifically, there are unresolved data issues. It has been suggested that if the UK cannot come to an adequate agreement with Brussels – and there is no extension period – British businesses that trade in Europe could find themselves in a troublesome position.
This issue surrounds the issue of national security and how it can work in conjunction with European privacy laws.
What are implications of Brexit on the GDPR?
Interestingly there has been the suggestion in some quarters that ditching the GDPR could provide the UK with a competitive advantage over countries with more stringent data protection requirements.
Ultimately, the fact that the Brexit negotiations are ongoing could mean that the UK might choose to take a somewhat different approach to data protection.
How has the GPDR affected businesses?
It should be noted that if changes are made to the UK-GPDR, this would potentially make things more confusing for British businesses – especially those that trade with EU citizens and businesses, as those businesses, would still have to abide by the EU’s GDPR.
There are even suggestions that the UK’s data security could potentially be impacted if the government’s negotiators fail to put arrangements in place. So, it is important that companies should follow the GDPR as it currently is and keep track of any recommendations from experts as to how things might change going forward.
Will the UK lose protections?
There has been the suggestion that the UK could now miss out on some EU-based protections due to Brexit. Reports have indicated that Google is planning to move British accounts out of the control of EU privacy regulators, and please them under the jurisdiction of the US instead. This could potentially leave British accounts with less protection over sensitive information.
This could have a huge impact on British businesses with Google accounts, with regard to how they protect their customer data.
Final thoughts
As things currently stand it is sensible for businesses to act in accordance with the EU’s GDPR, as well as abiding by the changes made by the UK-GDPR. It will be necessary for companies to ensure that they stay up to date with any changes in the regulations, and to do so, it may be necessary to work with external data protection specialists.