Update 24/06/2016:

The nation has voted and the UK will be leaving the European Union. We’ll be keeping an eye on what this means for UK Data Protection Laws.


On Thursday the 23rd of June, the British people will be asked whether they want to stay in or leave the EU.

One of the common misconceptions about the referendum is that if the result is ‘leave’ we’ll instantly be out of the EU. This is not true – there will be a period of about two years whilst the UK prepare to exit. During this time, the government will likely review 1000s of laws that have been passed in the UK via Brussels.

Of course, it will also mean that any outstanding EU laws that have not yet been passed in the UK will also be reviewed. One such law is the General Data Protection Regulation (GDPR), which was issued by the EU in December and must be adopted by the UK by 2018, should we remain in the EU.

What is this regulation? How will it affect our current data protection laws, and how might things be different if we do leave the EU?

How the GDPR will change data protection law

The GDPR is a landmark set of reforms that will significantly alter the way that businesses and individuals manage their personal information. It’s essentially an (extremely ambitious) attempt by the EU to create one system of data protection for all member states.

Here’s a rundown of the key changes:

Clearer, more user-friendly privacy policies

Companies will now have to show that consumers truly understand and agree with how their data will be used. This will mean having to revamp privacy policies so that they’re clearer and that users have more options to opt in/out of certain aspects of the agreement.

The right to be forgotten

This is a new right for individuals to be able to request that their information is deleted when it’s not held on legitimate grounds. This could be data held by previous employers, financial services or social media sites.

New process requirements for companies

Companies over a certain size must have a Data Privacy Office in place, which must be given free rein to scrutinise compliance, and advice senior managers should there be a breach. This should be supported by internal infrastructure, such as policies and training, to ensure compliance.

For bigger projects there will be a mandatory prerequisite for companies to carry out Privacy Impact Assessments. These will be used to identify and mitigate risk early on.

Transparency on data breaches

Cyber attacks and leaks have become a lot more regular in recent years, posing a potentially huge risk to both companies and individuals. That’s why the GDPR will require businesses to notify their supervisory authority of any data protection breach within 72 hours if there is a particular threat to individual’s data, or pay a huge fine of up to 4% of group global turnover!

How will Brexit affect these rules?

If the UK leaves the EU then the GDPR will cease to be effective and the UK’s own data protection laws will continue to apply. These are set out in the Data Protection Act (DPA) 1998, which is considered to be now long outdated, as it was conceived all the way back in 1995.

What’s likely to happen to UK data protection law, should Brexit occur? Andrew Dyson, partner and data privacy expert at international law firm DLA Piper, said:

“I anticipate that in due course the Information Commissioner’s Office (ICO) and others will push for reform of the DPA along the lines of the GDPR to support growth of the UK digital economy.

“My expectation is that given all the time and money that has gone into the GDPR, any UK specific legislation is very likely to bear reasonably close alignment to it, rather than taking a ‘start again’ approach, which would unsettle business and create further cost and uncertainty.”

New UK laws would most likely reflect the fact that the country has been historically more pro-business and anti-bureaucracy than the EU. With that in mind, British law would probably simplify certain aspects of the GPR, such as the very detailed requirements about the content of privacy notes. Andrew continued:

“We might also expect the UK to take a more pragmatic view on how far individuals should have the right to be forgotten or object to certain types of data processing activity, potentially giving businesses more control over management of risk in this area.”

There seem to be some benefits to the UK being able to improve on the GDPR with its own laws. But might we encounter some problems, what with the whole EU running off one system and us on another? Jonathan Armstrong, Partner at legal compliance firm Cordery, said:

“It would depend on the country involved and the type of data. There would be more resistance to transferring things like medical data. There would also likely to be issues for UK data centres as businesses need to plan for the long-term and would not want the potential uncertainty Brexit would bring.”

There would also be some issues in the medium term from when Brexit is announced, to when it actually happens. During that time it would be important to get a clear view as to which data protection regime applies, or EU customers may become concerned about using UK services.

Ultimately, although the Brexit referendum will take place shortly, we won’t be sure on the full implications for data protection until some time after the vote is cast.

If we remain in the EU, the GDPR must be implemented by 2018. If we leave, it seems very likely that the current UK data protection regime will continue to apply until reforms are made to bring us up to date.

This not only means that UK citizens will enjoy fewer privacy rights than their EU cousins, but also that businesses may face short-term compliance issues when trading with Europe.

Photo by Rock Cohen

Ready to Talk?

Let's talk