As the UK prepares to vote on whether to leave the European Union, businesses are being warned not to give up on data reforms inspired by the forthcoming EU General Data Protection Regulation (GDPR).
Businesses across the country have been studying implications of the new Regulation, due to be in force in May 2018, which aims to create a ‘one-stop shop’ for data protection across the European Union.
Some of the key aspects of the bill include huge fines for data breaches, new rules around the collection of personal data and new rights for European citizens to ask for data be deleted or edited. Many businesses will also be required to appoint a data protection officer.
>See also: The EU General Data Protection Regulation is now law: here's what you need to know
However, the Brexit vote opens up the possibility that the UK could be out of the EU by the time it comes into force.
While it may be tempting for some businesses to think the regulation will not apply if the UK leaves the EU, that isn’t the case.
“Although an independent Britain would not be a signatory of the regulation, in reality it would still be impossible to avoid its implications,” said John Culkin, director of information management at Crown Records Management. “The regulation governs the personal data of all European citizens, providing them with greater control and more rights over information held about them.
“So any company holding identifiable information of an EU citizen, no matter where it is based, needs to be aware. With millions of EU citizens living in the UK, too, it’s hard to imagine that many businesses here would be unaffected. The same applies to data breaches involving the personal data of European citizens.”
Even if the UK votes to leave the EU, data in the UK will continue to be regulated by the current Data Protection Act, which was passed in 1998.
>See also: Why the GDPR means a drastic change for identity governance
A spokesperson for the Information Commissioner’s Office (ICO), an independent body set up to uphold information rights, said: “Although derived from an EU directive, the Data Protection Act was passed by the UK Parliament and will remain in place after any exit, until parliament decides to introduce a new law or amend it.
“The UK has a history of providing legal protection to consumers around their personal data. Our data protection laws precede EU legislation by more than a decade, and go beyond the current requirements set out by the EU, for instance with the power given to the ICO to issue fines.
“Having clear laws with safeguards in place is more important than ever given the growing digital economy, and is also central to the sharing of data that international trade relies on. The UK will continue to need clear and effective data protection laws, whether or not the country remains part of the EU.”