Brexit and the GDPR
Published 15 September 2016
On the 25 May 2016, the General Data Protection Regulation ("GDPR") came into force. There is now a 2 year implementation period, with the deadline for compliance 25 May 2018.
The outcome of the UK's referendum on its membership of the European Union has left many organisations unclear about the future landscape for data protection. Despite Brexit, it is highly likely that the UK will need to implement the GDPR in to UK law.
This is because even after Brexit, many organisations in the UK will still be caught by the requirements of the GDPR. This is because the GDPR applies to organisations outside the EU selling goods and services to people in the EU and processing their personal data. That will include any UK company processing personal data about customers in the EU.
The easiest way to ensure that UK companies comply with the GDPR, and are able to continue to trade, is to pass UK legislation equivalent to the GDPR. That would most likely cover the health sector (both public and private) as it would be odd for the stronger protections under the GDPR not to apply to the very sensitive data used within health. In any event, the effect will be the same: the material provisions of the GDPR will survive Brexit.
It would seem unlikely that the UK Government would start from scratch in drafting a new data protection law. Despite the vote for Brexit, it would seem prudent for organisations to continue to prepare for and implement the GDPR. Parliament will have a lot to deal with to implement Brexit so the time of legislators and the civil servants who support them will be short. It will be unhelpful for organisations working in both the UK and the EU to face slightly different sets of rules. Also, the UK Information Commissioner has had a significant input in to the wording of the GDPR. It is difficult to see how the UK could not implement privacy laws that are at least equivalent to the GDPR.
We recommend that CCGs take preparatory steps so that when an announcement is made about the application of the GDPR in the UK, CCGs are ready to move quickly.
Key steps to take now include:
- Identifying your data flows
- Reviewing your contracts to see which ones would need to be amended
- Reviewing your data sharing protocols to see if they would be affected
- Making sure your IT and procurement teams understand that any new IT systems or software should be GDPR compliant
You can also 'future-proof' your contracts now by including clauses that will be triggered when GDPR provisions become UK law. There is often a long lead-in time for amending contracts, as negotiations typically take place either when a contract is first entered into or at the end of its original term, as a precursor to renewal. So it makes sense to start this work now. Other GDPR obligations - like the new rights for data subjects - can be dealt with more quickly and nearer the time when the anticipated legislation comes into force.