EU data law hasn't gone away just because of the referendum result
The decision to leave the EU has created the impression that it means UK digital marketers have heard the last about the General Data Protection Regulation (GDPR), or EU data law, that comes into force in May, 2018. But it is nowhere near as straightforward as that. There is strong speculation that the law may still come into force domestically. Knowing whether to prepare is important because there is a considerable amount of time, money and effort needed by companies to prepare for it, and the Information Commissioners Office (ICO) has been given heavyweight powers and sanctions to enforce it should the data law come into effect.
UK will need Data Act if there is no GDPR
The ICO itself is currently being non-committal on the subject, but has issued a statement that says that if GDPR is not adopted then a UK Data Act will have to match it:
'If the UK wants to trade with the Single Market on equal terms we would have to prove 'adequacy' - in other words UK data protection standards would have to be equivalent to the EU's General Data Protection Regulation framework starting in 2018.'
But there is a further complication. Adoption of GDPR is already written into UK law by Parliament, and unless it is repealed it will come into being in less than two years, which will be well within the time it will take to conclude a new trade agreement with the EU. What is more, any agreement will almost inevitably stipulate data handling requirements.
In this circumstance Westminster may decide it is logical to leave the forthcoming act as it is based on the fact that the European Economic Area Agreement (EEA) requires GDPR compliance. Thus, the three EEA member countries - Norway, Iceland, and Liechtenstein - will become subject to the regulation at the same time as the 27 EU countries.
The new EU deal will likely include GDPR compliance for UK industries
Of course, most Brexit leave campaigners rejected EEA because of the free movement of people and financial contribution requirements, but never-the-less, any deal negotiated is likely to have the EU data law built in. Switzerland and Israel adopted the 1995 European Data Directive in order to trade with the EU more freely, and may well decided to maintain their compliant status. It would be logical for the UK to do the same even if a trade deal did not actually stipulate adoption. Also, UK negotiators may take the position that withdrawing GDPR from statute would send a negative message to their EU counterpart, and advise government to keep it to timetable on the legislative books.
For the time being the current domestic data protection law remains in force, and there are options companies can adopt to manage the uncertainty about the future. UK companies that trade in Europe can create a clear separation between UK and EU operations by adopting a data firewall when processing information. This means implementing a two-track system, and it is something many international companies have to do when having contact with consumers in different countries and continents. For a UK only operation with direct sales to EU consumers, the requirements will mainly be to include consent to data transfer in sales contracts, and follow the data protection requirements.
But what this does not take into account is the fact that the EU will almost certainly insist on a separate data transfer agreement with the UK similar to the Privacy Shield with the United States. Although there is still some debate about whether Privacy Shield will last the test of time due to potential unresolved flaws, it would anyway be incompatible with the Investigatory Powers Bill (Snoopers' Charter). The government would have to amend or repeal the Investigatory Powers legislation, or it may mean that European companies have to limit severely how they share personal data with their UK partners, customers and buyers.
How long will it take?
Once negotiation on data transfer begins it is likely that an agreement could be reached relatively quickly. When Safe Harbour was ruled as incompatible with EU law it was months rather than years before an alternative was agreed between the EU and United States.
However, cross-border data transfer is primarily the concern of large international businesses. What is of importance to most Brand owners and retailers is GDPR, which is almost certainly a long way down the list for negotiation between the UK and the EU, and it is likely that there is going to be uncertainty about it for some time.
So what is the advice on whether to starting preparing for GDPR? Given that it is written into statute to become law with no indication that it will be withdrawn, plus the fact that any type of EEA based deal is almost certain to require its implementation, the least companies should do is plan for it.
It may help to approach the question purely from a monetary perspective. How much will it cost to be ready for GDPR vs. a fine from the ICO and damage to reputation. Given the draconian powers the ICO will have under the EU law, and heightened sensitivity of consumers to data breaches it may be best to be prepared come May 2018.