Organisations hoping that the looming referendum on Europe will render the recently passed General Data Protection Regulation (GDPR) irrelevant are clinging to a false hope.
The GDPR was four years in the making and was finally passed on Thursday by politicians in Europe, ushering in major new rules relating to data collection and processing. These include:
- Fines up to four per cent of annual turnover for breaching the GDPR, or €20m, whichever is greater
- Requirement for dedicated data protection officers in firms with over 250 employees
- A right to data portability that lets citizens move data out of a company's database
Such measures could well be seen as onerous, particularly for firms that already see the EU as creating unnecessary burdens and red tape for their operations. So a vote to leave Europe could be seen as a chance to escape from under the yoke of the GDPR.
However, Mark Thompson, privacy practice leader at KPMG UK, warned that any organisation with this view is mistaken.
"The hope is that the heavy fines and onerous new requirements introduced by the GDPR won’t be applicable to them if Britain leaves the EU. Some might argue that this would be an additional benefit for businesses in the event of a Brexit," he said.
"[However] should Brexit happen, the GDPR, or something very close to it, is likely to be passed in the UK. The reality is that Britain needs to trade with the EU, and trade these days is increasingly reliant on personal information."
Rob Sheldon, a partner in Fieldfisher's Manchester office, agreed with this, noting that UK businesses will still have to comply with GDPR whatever the outcome of the referendum.
"Post-Brexit, UK companies doing business in the EU, or with companies in the EU, will effectively have to comply with the GDPR in the same way that other non-EU companies must comply, such as when they aim goods or services at citizens in the EU, or provide hosting services for companies in the EU," he said.
"As with the EU/US position currently, doing business with companies in the UK may become more difficult from a data protection compliance perspective post-Brexit (unless there is an adequacy decision, which would be dictated by the UK's data protection laws post-Brexit and whether or not they're equivalent to the GDPR)."
The silver lining for firms wary of the GDPR is that the law is unlikely to start being enforced until 2018, providing some breathing space to get the necessary processes in place.
Geoengineering on the sea floor near glaciers would form a new ice shelf to prevent melting
Alterations in capillary blood flow can be caused by body position change
Curiosity rover is in 'normal mode' but not transmitting scientific data back to base
NatWest outage comes a day after Barclays' IT systems shut out customers and staff