Leaving the EU is a two-year process, so the UK will still be a member when the update to the EU General Data Protection Regulation (GDPR) comes into force in May 2018.
Some things are already clear. For example, even if the UK does makes changes to its implementation of GDPR following Brexit, companies that do business in Europe will still have to comply with EU data protection rules.
But at the same time, there could be some adjustments after the UK leaves the bloc. It is said that one casualty of post-Brexit Britain could be the ‘right to be forgotten' – an EU ruling giving individuals the right to demand that search engines remove links containing personal information about them.
In theory, when the UK leaves the EU, a company such as Google would be able to apply to a British Court for a ruling to say there is no such right to be forgotten in this country.
Although the right to be forgotten is already in place in the EU, some law experts and industry commentators agree it is possible it will not apply to UK citizens after Brexit.
Simon Schnieders is founder of Blue Array, a reputation management company that assists firms under the right to be forgotten. He says that post-Brexit: “It makes sense Google would apply to a British court trying to get the right to be forgotten dismissed.” However, he adds: “Whether the UK government steps in is another thing.”
After Brexit, the UK could very well omit EU clauses it has so far been reluctant to embrace, says Cameron Brown, an independent cyber-defence advisor. He points out that the UK government was “candid in its resistance to the right to be forgotten provisions”.
The UK could also seek to make adjustments to rules covering international data transfer so they are better aligned to current protocols, according to Robert Bond, partner at Charles Russell Speechlys. Today, the UK can transfer data to other parts of world on the presumption of its ‘adequacy' to protect citizens.
He explains: “If you can show due diligence on the recipient, then you just need a self assessment. That is there now and I don't see why it wouldn't continue.”
In addition, the Information Commissioner's Office (ICO) in this country has been trying to launch a ‘privacy seal' in line with EU proposals. This would see companies able to give their compliance programmes to the regulator for audit in the hope of being awarded a ‘kite mark' to show they are surpassing the requirements of the Data Protection Act when looking after people's information.
Firms would then be accredited to transfer data outside the UK. “I could see a number of businesses using this seal as a differentiator,” Bond says.
In some cases, parts of UK protocol under the Data Protection Act might remain in addition to the EU legislation. For example, changes in the UK's interpretation of GDPR as a result of Brexit could see this country keeping the registration fee companies must pay to the ICO each year, according to Jonathan Armstrong, partner at Cordery.
He explains: “One of the benefits of GDPR is not having to pay up to £500 (depending on company size) to the ICO every year to register. The ICO gets funding from that and the government would have to raise the money from somewhere, so it's likely it would stay. I could see the UK getting GDPR plus registration.”
But one change the UK might see further down the line relates to consent when using data. Bond explains: “There are reasons to use data without consent – such as to save your life, or to do background checks. We have already, in current data protection legislation, the concept of ‘legitimate interests'. If it is in the legitimate interests of the business, it is disproportionate to keep asking about data.”
Historically, common law countries such as the UK have been accepting of legitimate interests, but “we might look at that when we exit”, Bond adds.
However, Armstrong thinks that overall, there will not be any major deviations from GDPR – at least at first. He says there could be more changes to other directives coupled with GDPR, such as the network and information systems (NIS) directive covering cyber-security.
He explains: “The UK has always been less in favour of NIS in part because it's hard to see the point: You have to report breaches; is it too burdensome? I think the UK would have the freedom not to implement this.”
The UK courts
The current maximum fine for a data breach is is £500,000 in the UK. This will increase to either four percent of turnover or €20 million – whichever figure is greatest – when GDPR comes into force.
But post-Brexit, if the UK has rules in line with EU GDPR and they are breached, it is the British courts that will adjudicate. This raises the question of whether they will be more harsh or lenient than those in EU countries.
“The UK is also a country governed by common law, which differs to the civil or continental system adopted by many of the EU nations,” says Brown. “In the absence of binding case law, we may see a divergence in how the UK enforces the more punitive provisions of its GDPR equivalent legislation when compared to the legal position among EU jurisdictions.”
However, Armstrong says that in general, the UK courts have enhanced privacy rights. He cites the example of an ICO-backed TalkTalk case where a customer was able to see another person's details online.
With this in mind, says Armstrong: “I think the courts will be similar. The European court is particularly pro-privacy, but so is ours.”
The ICO already has a track record for handing out aggressive fines when data protection is breached. It is thought that when GDPR comes into place, the UK regulator will make examples of the first companies to suffer a breach.
This could be magnified when subject access requests become free under the regulation. Armstrong says: “There are more complaints to ICO than ever before and there are lots of subject access requests. Under GDPR, these become free and then people are likely to ask for more to hold companies to account.”
It is clear that much of GDPR will stay the same, even after the UK has completed leaving the EU. After all, the principles of GDPR – transparency, accountability, consent and having in place adequate information security – are already present in countries both inside and outside the EU, says Bond.
After the UK exits the bloc, says Armstrong, there are several options: “Post-Brexit, we could join the European Economic Area – which allows the free transfer of data. Or, option two is some kind of adequacy finding such as what happens with Canada, which submits its law to the European Commission asking to be declared as ‘adequate'.”
The third option is a screening system such as the US-EU equivalent, formerly Safe Harbor, now ‘Privacy Shield', he says.
According to Armstrong: “Most people think option one or two are better, but that will mean an assessment of UK privacy law. There are some in the European parliament that want a hard look.”
This is because, he says: “After Prime Minister Theresa May tried to widen powers for surveillance as home secretary, some of the Commission don't trust her to protect rights.”
There are several ways the regulation could be interpreted, says Steve Iddon, lead security consultant at Auriga. The UK could mirror the requirements, or simply adopt the same regulation under a different moniker.
It is true that parts of GDPR might be dropped by the UK, but experts agree companies should start making the move towards compliance now. “We must assume that the bones of the regulation will apply,” says Iddon.
With this in mind, Brown says, firms must follow the ICO's 12-step checklist and guidance around rights, privacy notices and the issue of consent. Not complying “could be very bad for business”, he says.
Aside from the risk of breach, Bond warns: “Companies that fail to comply will likely discover EU trading partners no longer share personal data with them once GDPR is in place.”
The first step is to map out data assets and identify who is using them, says Dr Elizabeth Maxwell, technical director EMEA of Compuware. “It's become like an untended garden including business data, mainframe and emails. Firms need to map out the assets and work out who is using them. “This would be part of a privacy impact assessment,” she explains.
In addition, says Iddon, firms should appoint a data protection officer (DPO) and select a data protection agency. He advises companies to introduce educational programmes and training to those dealing with personal data.
Dave Packer, vice president of corporate and product marketing at Druva agrees, saying: “The number one thing is educating people on GDPR. Organisations don't know how to attach the regulation to how to do things as a business.”In addition, he says: “Make sure employees understand their responsibility in protecting data. It's like they are holding someone's money – so take a bank mentality.”