On June 23, 2016, barely two months after the EU parliament approved the General Data Protection Regulation, the United Kingdom voted to leave the European Union. In the aftermath of a decision that shocked the world, many questions were raised regarding the legality of withdrawing from the EU.
One question in particular was resounding.
Does the GDPR still apply to UK companies?
“One in four businesses in the UK say they have cancelled all preparations for the EU General Data Protection Regulation,” writes this article from Information Age. A higher percentage of companies have perhaps started preparations, but “a massive 44% of those surveyed said they didn’t think the regulation will apply to UK business after Brexit.”
Recent studies, surveys, and statistics coming from the UK show that many aren’t worried about the GDPR now that Brexit is certain. But it’s too soon—and far too careless—to write off the GDPR as a regulation you don’t have to follow.
The question, “Does the GDPR still apply to UK companies,” is broad in its scope. Perhaps it’s better to break it into two separate questions.
1. Will the GDPR apply to UK companies BEFORE Brexit finalizes?
Though the GDPR was approved in 2016, businesses have been given two years to become compliant with its requirements. This transition period officially ends on May 25, 2018. Companies must be compliant at that time or face steep fines and penalties (up to 20 million pounds or 4% of annual turnover, whichever is higher).
The UK is set to finalize their leave from the EU sometime in 2019, probably March 2019, but at the very least, that’s ten months after the GDPR becomes enforceable. Since the UK will still be a part of the EU in May 2018, UK businesses must meet all compliance requirements at that time. No exceptions.
2. Will the GDPR apply to UK companies AFTER Brexit finalizes?
Okay, you’re thinking, I only have to comply with GDPR until March 2019, and then I can stop, right? Well, not quite, for two different reasons.
Even after the UK fully exits from the EU, the GDPR applies to all companies who process or store the personal data of EU citizens. This includes companies who are located worldwide, so if your company has EU clients or processes EU citizens’ data, yes. The GDPR still applies to you, and so does its fines and penalties if you fail to comply with its requirements.
The UK government has also spoken up about the future of the GDPR after Brexit. Phil Lee, partner at Privacy, Security and Information law group in London, writes: “The UK government has signalled that, in order to provide continuing legal certainty for citizens and businesses, all existing European law will essentially be “copied and pasted” into UK law … by the time the UK leaves the EU.” This most likely includes the General Data Protection Regulation, which Lee guesses will simply be renamed as an act but encompass the GDPR’s requirements and legalese.
Furthermore, Lee encourages UK businesses to be more vigilant than ever about meeting compliance requirements, as they’ll “most likely need to comply with both UK and EU data protection law.” So while Brexit is set to bring about many changes for UK-based companies, being off the hook for full compliance isn’t one of them.
What should you be doing right now?
Prepare, prepare, prepare. The deadline for complete GDPR compliance is fast approaching, and the penalties and fines are far too steep to ignore.
To help businesses ready themselves for May 2018, we’ve put together two resources covering everything you need to know about the General Data Protection Regulation. Check them out!