Brexit and GDPR: What to Expect

When it rains, it pours.

After the European Commission adopted the GDPR in April 2016, businesses around the world scrambled to make sense of the new data security law and the obligations it imposed. And then, less than two months later, came the Brexit referendum and the UK’s decision to leave the EU.

Organizations who hadn’t yet come to terms with the GDPR were suddenly faced with the prospect of creating not one, but two new data protection strategies—one to meet the EU regulations, and another to comply with whatever rules would apply in the UK after its exit from the EU was complete. It was hardly surprising when companies in North America and elsewhere began to consider leaving the European market entirely, rather than dealing with the complexity and uncertainly that the legal developments had created.

Fortunately, some of the initial fog has cleared away in the past year. The EU’s Data Protection Working Party has begun to issue guidance on how organizations can comply with the law’s many new requirements. Meanwhile, the British government has officially begun the process of leaving the EU and has provided insight into the country’s post-Brexit approach to cybersecurity regulation.

While many details are still to be determined, the basic facts are clear: organizations in the UK, along with any others that do business in Britain, must be prepared to comply with the GDPR before and after the Brexit process is complete.

Timing is Everything

On March 29, 2017, British Prime Minister Theresa May sent a letter to the president of the European Union, officially triggering the UK’s exit from the EU. The exit process is expected to take at least two years to complete, meaning that the UK will still be a part of the EU on the GDPR’s effective date. Since the GDPR is a regulation rather than a directive, it does not require separate ratification by EU member states and becomes the law of each country as soon as it takes effect.

The bottom line? Organizations based in the UK (or operating there) will have to be in compliance with the GDPR by May 25, 2018, or risk the heavy fines and other sanctions that the law provides. And that’s not all—if the UK remains a part of the European Economic Area (a point to be determined during the Brexit negotiations), the GDPR will continue to have the force of law, even after the exit is finalized.

2019 and Beyond

Many companies will need to make major changes to their business processes in order to comply with GDPR mandates such as obtaining active consent for data collection and the much-publicized “right to be forgotten.” Perhaps conscious of large amounts of time and money that organizations will invest in making these changes, the British government has announced its intention to align its post-Brexit regulations with the GDPR.

The announcement may have been unwelcome news for companies who had been hoping to dodge the GDPR until Brexit was complete. However, the consistency provided by this approach should benefit the thousands of organizations who do business on the continent and will therefore need to remain compliant with the GDPR no matter what happens in the UK.

Are You Prepared?

Industry surveys show that many businesses in Europe, the UK, and North America have not yet begun to implement the changes that the GDPR will require. If your organization is looking for a starting point, read "Data Protection by Design: Preparing for Europe's New Security Regulations", and find out how enterprise-wide encryption with Smartcrypt can keep your data safe and help you meet your GDPR obligations.