Do UK Businesses still need to worry about GDPR with Brexit looming?
Later this year the UK government is expected to trigger Article 50, the first concrete step in its highly anticipated departure from the European Union.
But with the General Data Protection Regulation (GDPR) due to come into effect in May 2018, what impact will Brexit and GDPR have on UK businesses, and where do firms stand in relation to GDPR when the UK is no longer part of the EU?
In short, the UK's decision to leave the European Union won't affect UK businesses too much at all; that is, for the time being at least. If Article 50 is indeed triggered at some point this year, the UK will continue be part of the EU until 2019 at the earliest, meaning UK businesses still need to become GDPR ready by 25th May 2018.
In a statement made before the Culture, Media and Sports Select Committee late last year, Secretary of State Karen Bradley MP, said: "We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.”
With this is mind, UK businesses are advised to begin the process of investing their time and resources into preparing for this new data protection law.
What happens post Brexit, however, will be largely dependent upon whether or not the UK joins the European Economic Area (EEA). If it does then GDPR will continue to apply to the UK, albeit, with some small practical changes. However, if the UK opts out of the EEA, GDPR will no longer apply and therefore transferring personal data from EU member states to the UK would no longer be permissible without additional legal protections or safeguards in place.
In summary, whatever the outcome may be post Brexit, UK businesses will still be fully subject to GDPR rules for the best part of 12 months at the very least, and therefore, should start getting their business ready for GDPR immediately to ensure they are completely compliant with GDPR standards before its introduction next year.