Whether or not you voted for Brexit and whether or not you believe it’s a done deal, there’s one thing post-EU Referendum that surely isn’t up for debate. For British companies wanting to trade with Europe, the bureaucracy of Brussels isn’t going away – and that applies in particular to data protection, writes Chris Russell.
Some business people may well have heaved a sigh of relief on Friday 24 June at the very thought that the General Data Protection Regulation (GDPR), the tough new European data protection regulation that was adopted in April 2016 and comes into force in May 2018, would no longer apply in the United Kingdom. That idea was based on the premise that the important thing is where the data’s stored.
Unfortunately, that’s not true under the GDPR. What matters is whether the data concerns EU citizens, irrespective of where it’s stored.
Current UK data protection legislation comes from the Data Protection Act 1998, itself based on the 1995 Data Protection Directive. That will be superseded in Europe by the GDPR less than two years from now. In other words, even if Article 50 were notified right now, the GDPR would come into force before the Article 50 two-year post notification period runs out.
As the GDPR is a regulation and not a directive, it doesn’t require enabling national legislation to become law. That means it will apply here in the United Kingdom, whether we like it or not.
Even once Brexit is fully negotiated and implemented, the chances are that the UK will either have to comply with the GDPR or implement data protection legislation of its own that the EU deems adequate (ie the same or very similar) if it wishes to keep trading with the European Union. This is likely to be equally applicable to the Network and Information Security Directive which has until May 2018 to be implemented in national law.
Making a serious mistake
If UK businesses have any ambition to continue selling to their European customers, viewing Brexit as an opportunity to side-step data protection obligations is a serious mistake.
Despite the GDPR’s short-term disruption, the regulation is likely to have a positive impact on the data security industry. It will accelerate the modernisation of Europe’s data security practices and enforce consistency of approach between EU Member States.
Nonetheless, it will require European businesses of all sizes to take a very close look at their security, including those in the UK.
From both the commercial and practical perspectives, preparations must continue. Regardless of what they make of either Brexit or the GDPR, businesses in the UK have no choice but to keep pace with the regulation.
Chris Russell is CTO at Swivel Secure