This is the first part of a two-part blog piece on GDPR and Brexit. This first piece focuses on what exactly GDPR is, how it will affect Brexit and what we can expect as part of the new regulation.
Read the second installment here.
GDPR - What is it?
In some shape or form, the application of the EU General Data Protection Regulation (GDPR) on the 25th of May 2018, will apply in the UK, regardless of what happens with Article 50 between now and then. The move to a single EU regulatory environment is the biggest change in data protection in 20 years. It is designed to unify and strengthen data protection for the individual and it aims to simplify compliance for businesses that operate across Europe.
GDPR – (Br)Exit in Style?
Exit negotiations from the European Union can take years and during this time the UK will continue to be subject to EU data protection laws. Regardless of Brexit, the application of GDPR will be incumbent upon any UK business that offers any goods or services to EU citizens or that monitors any EU citizens' behavior. If the UK leaves the EU but continues to participate as a member of the European Economic Area (EEA), it will continue to enjoy free trade with the EU on the condition of submission to EU laws (GDPR included). An exit approach that achieves total independence for the UK will invoke "third country" data protection rules that could restrict UK data exports. The EU Commission would then need to form a view as to whether a post-Brexit UK represents an adequate provider of data protection, in reference to data that is exported from an EEA country. To achieve this stamp of approval from the Commission, the UK will almost certainly need to enhance its data protection laws ensuring that they are materially similar to the GDPR, allowing it to maintain the necessary flow of personal data between the UK and the EU.
GDPR - What's new?
Shakespeare's Hamlet is estimated at around 20,000 words in length and indeed, the Official Journal of the European Union is a lengthy document at 88 pages long and it shouldn’t surprise anyone that the changes involved are significant and cover a number of areas. The territorial scope as defined by the GDPR will capture many more non-EU organisations, with Article 27 enforcing the designation of a representative within the EU for those in-scope non-EU organisations. A broader definition of personal data included in "special categories", as stated in Article 9, includes the processing of genetic and biometric data, requiring a stricter protection regime for such data.
The GDPR also introduces tighter controls for the processing of data that reflects an individual's racial or ethnic origin, political or religious or philosophical opinions or beliefs, and data concerning their health or sex life. Unlike the current Data Protection Directive, the GDPR requires separate consent be obtained for data processing activities unrelated to the reason for its original collection and the data subject will have the right to withdraw such consent at any time. In terms of the fines that can be administered, GDPR joins anti-trust and anti-bribery laws in having some of the highest sanctions for non-compliance. Breaches related to data subjects' rights, consent processing violations and international transfer restrictions will impose the biggest fines, of up to €20,000,000 or up to 4% of total worldwide turnover from the preceding year, whichever is highest.