UK businesses confused over GDPR and Brexit

News by Max Metzger

The Deputy Information Commissioner, Steve Wood says that UK businesses are caught in a confusing place, between looming EU regulation and Brexit

A senior official from the Information Commissioner's Office has given voice to the uncertainty of British businesses over EU regulation compliance and Brexit.

In an interview with Bloomberg BNA, the deputy information commissioner, Steve Wood said that UK companies want a clear idea of what these two clashing, yet profound political tides will hold for those caught in the middle.  

The General Data Protection Regulation (GDPR) comes into action next year, marking a sharp change for UK businesses. Under its auspices, businesses will face massive fines for violations like not reporting, or appropriately remediating a breach. The new measures will bring in a kind of data protection yet unseen in the UK.

That may not be for long though. Earlier this year, the United Kingdom voted to leave the EU throwing the status of those regulations on UK shores into uncertainty. European law still currently applies in the UK, but may no longer by 2019, the time the government plans to make its final departure from the supranational body.

A failure to come to clarity on these two points is not “good because it can delay investment in compliance systems,” Wood told Bloomberg BNA. Wood added that the Information Commissioner's Office (ICO), which governs data protection in the UK, had been putting these concerns to the UK government.

For its part, the ICO has been “working with European colleagues in the Article 29 Working Party” on GDPR guidance.

One possibility of such confusion may be that UK businesses will have to spend a considerable amount on compliance with the GDPR's thorough provisions, only for those to be taken away in 2019, currently set to be the year that the UK ‘brexits'.

This questions appears to have been on the minds of the UK's data protection officials for some time. Earlier this year, Elizabeth Denham, the UK's Information Commissioner told  BBC Radio 4, “The UK is going to want to continue to do business with Europe. In order for British businesses to share information and provide services for EU consumers, the law has to be equivalent. The UK was very involved in the drafting of the regulation — it will likely be in effect before the UK leaves the European Union — so I'm concerned about a start and stop regulatory environment."

She added, “I don't think Brexit should mean Brexit when it comes to standards of data protection."

Those reminders may not be all that effective, Graham Mann MD of Encode UK told “At this time in the Brexit process the ICO is not going to get an answer from the UK Government. It would be better if the ICO were more proactive in informing organisations of the impending implications of GDPR.”

Mann adds that the ‘great repeal bill' will apparently enshrine EU laws into UK law from the date of the UK's departure, so the GDPR may well stay.

“The lead time for organisations to make the necessary changes to become compliant with GDPR is significant, probably at least two years, so doing nothing is a high risk strategy. Given the penalties for non-compliance, any UK-based organisation planning to do nothing would have to have a high risk appetite,” not to mention the fact that any UK organisation that wants to do business in Europe will have to be GDPR compliant.”

The ICO did not respond for comment.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews