What will the vote mean for data protection?
Thursday, June 23, 2016
Election day is upon us and we’ll soon know whether the UK has chosen to Brexit or Remain in the EU. So what does the outcome mean for GDPR (General Data Protection Regulation)?
- If we chose to stay in the EU the GDPR will be applicable to all businesses in the UK when it comes into force on 25th May 2018. This means that there will be:
- More rigorous requirements for obtaining consent for collecting personal data - i.e. consumers will have to opt-in to receiving direct marketing, rather than the current opt-out model
- Requirements for an organisation to delete data if the individual revokes consent for the company to hold the data
- Requirements for an organisation to delete data if it is no longer used for the purpose it was collected
- Requirements for organisations to notify the relevant data protection authority of data breaches within 72 hours of learning about the breach
- Establishment of a single national office for monitoring and handling complaints brought under the GDPR
- Increased fines for non-compliance
If we stay UK companies have almost two years to make their marketing databases compliant by gaining explicit opt-in permission from customers and prospects.
If we chose to leave the EU the majority of data protection specialists believe that nothing much will change and that we will still be required to comply to GDPR. The reason for this is that in the event of a UK vote to leave the EU, it is not absolutely clear what will happen and when. The most likely reaction will be that the UK will give notice to leave the UK, using the procedure set out in article 50 of the Treaty on European Union. This then triggers the need to agree withdrawal terms with the EU and hopefully future relationship terms as well.
The UK would leave the EU on the sooner of agreeing terms and the expiry of two years from giving notice to leave. Agreeing terms will probably take more than two years, so at the earliest, the UK would probably leave the EU in late summer 2018 but if giving notice to leave is delayed, departure may be in 2019 or 2020.
Consequently when GDPR comes in on the 25th May 2018 it is likely we will still be members of the EU and therefore bound by the laws of the Directive. However, the day that we leave GDPR will no longer apply to UK organisations unless the UK adopts domestic legislation amending the Data Protection Act to retain GDPR in whole or part, which it is very likely to do.
So in summary the vote outcome means very little for Data Protection and the clock is ticking; so becoming compliant is the name of the game.