The UK’s vote to leave the EU has introduced an added layer of complexity around data privacy in the UK. This is an area already in the midst of transition from the existing Data Protection Act 1998 to the more stringent regime under the new General Data Protection Regulation. We have prepared a briefing for clients looking at how Brexit is likely to impact data privacy obligations in the UK and considering how data privacy strategies should be adapted now.
The UK electorate has voted to leave the EU. What is the likely impact on the data privacy obligations of UK businesses?
Immediate Impact The vote for Brexit is of no legal effect per se. It is merely an instruction to the UK government to withdraw from the EU. Withdrawal involves a number of formal steps, beginning with the UK notifying the EU of its intention to withdraw under Article 50 of the Treaty on European Union. Current indications are that this will not happen until a new Conservative Party leader has been elected. The UK and the EU must then negotiate the terms of the UK’s exit, which is likely to take a minimum of two years. Nothing will change until the UK actually leaves the EU. That means businesses must, for now, continue to comply with the Data Protection Act 1998 (DPA) and the E-Privacy Regulations. They should also anticipate, and prepare for, the more stringent data privacy regime which will be introduced by the General Data Protection Regulation (GDPR). Businesses must comply with the GDPR from 25 May 2018. The Longer Term The effect of the UK’s exit from the EU on data privacy obligations will depend on what the UK and the EU negotiate as the alternative to EU membership. There is considerable uncertainty around this at the moment. However, three exit models appear to be the main options.