This is taken from Dark Data: The Hidden Risk to GDPR Non-Compliance, a free industry guide authored by Tim Hyman. In it he examines the requirements of GDPR and explains how dark data could be impacting your compliance efforts. Learn best-practice solutions for new compliance workflows designed to protect your organization.
There was some speculation that GDPR would cease to be relevant following the UK's decision to leave the EU. While we await the detail of what Brexit really means in terms of EU and UK trade agreements, people movement and laws, there has been significant commentary, including a statement from the Information Commissioner's Office (ICO), suggesting that not only will it still apply but that businesses should start compliance preparations now.
The following key reasons are given as to why GDPR still applies:
GDPR Comes Before Brexit
The GDPR comes into force on 25th May 2018. The earliest Brexit can happen is August 2018 and until then all EU laws will apply.
The GDPR applies to the data of EU citizens regardless of where the controlling or processing of that data takes place. This means that countries outside of the EU (including the US and an independent UK) would have to apply GDPR for client data where the client is in the EU.
Adequate Data Protection
For an EU country to trade outside of the EU, 'adequate' data protection measures must be in place. It is likely that GDPR will be the standard set as 'adequate' and the UK would have to introduce an equal replacement if it decided to revert to existing data protection regulations - which would simply be GDPR under a different name.
There are many EU regulations currently in force and all will remain for at least two years until the final Brexit date. It will be a costly and time-consuming exercise to replace these regulations with UK law and even if GDPR is revoked there are likely to be many other areas of law regarded as higher priority.
No. A common misconception is that the GDPR only impacts EU countries. In fact, the new legislation has a global reach. The legislation protects the personal data of EU citizens and will apply to:
- Any business providing goods or services to an EU citizen
- Any business with an office and employees in the EU
- Any business transferring data outside of the EU
Furthermore, if a non-EU business that 'processes' personal data (e.g. a cloud service provider) cannot provide a guarantee of GDPR compliance, an EU business is prohibited from contracting with them.
About the author
Tim is an independent consultant specializing in information security and GDPR technology compliance. This follows 20+ years as an IT Director of top 20 law firms including Reed Smith, Olswang and Taylor Wessing, with a broad-based management responsibility for strategy, systems design, implementation and support.