On June 23, 2016, the British public voted to “leave” the European Union (EU) in a highly anticipated referendum vote. This Brexit vote inevitably generated significant uncertainty as to how EU regulations such as the General Data Protection Regulation (GDPR) would apply to UK companies and enterprises. Now that a year has passed since the vote, the future of GDPR in the UK and what data protection regulations UK companies need to be cognizant of are more clear. Public statements by UK government officials and the Queen illuminate the UK’s commitment to strong data protection laws and adherence to GDPR requirements at least until the UK officially leaves the EU and a new Data Protection Bill is drafted domestically.
The bottom-line is that presently the UK government has acknowledged that the UK will not be leaving the EU before May 2018 when GDPR goes into effect. Therefore, UK companies, whether or not they process or control data on EU persons, will be subject to the regulations put forth in GDPR. However, the Queen and other government officials have made it clear that adherence to GDPR beginning in May 2018 does not preclude the development of and implementation of a stronger and more comprehensive Data Protection Bill unique to the UK that would replace the UK Data Protection Act of 1998.
Two government statements underlie this conclusion and reiterate the obligation of UK companies to ensure compliance with GDPR by May 2018.
Karen Bradley, Secretary of State for Culture, Media and Sport
In an appearance at the House of Commons on October 24, 2016, Secretary Bradley stated that “We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.”
The Information Commissioner’s Office (ICO)
The ICO has reiterated this perspective in confirming that “The GDPR will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.” ICO is also providing resources and guidance to help companies prepare for GDPR.
And even if the UK does leave the EU in the future, a new UK Data Protection Law is likely to strongly resemble GDPR as the UK had a prominent role in the drafting of GDPR and is committed to data protection and privacy. These points are reaffirmed by the Queen’s speech on June 21, 2017. At Parliament, the Queen communicated: “A new law will ensure that the United Kingdom retains its world-class regime protecting personal data, and proposals for a new digital charter will be brought forward to ensure that the United Kingdom is the safest place to be online.”
While the Queen is speaking about future ambitions, compliance with GDPR should be the primary focus in the interim. The ICO