PAUL MATHER – DIVISIONAL operations director says:
The fact of the matter is that when Theresa May sends her letter triggering article 50 today, the exit process will be a long a drawn out one and certainly won’t be complete before May 2018. Hence whatever happens, UK organisations will need to abide by the regulation.
We also need to remember that the regulation applies to any organisation that a) works with or holds data on EU subjects, or b) employs EU staff, hence organisations based outside the EU could well be impacted too. In practice, we will have to wait and see how well this is enforced.
It should also be remembered that one of the stated aims of the GDPR is to provide a common set of policies to remove a “speed bump” when trading and transferring data… and that cross-border data transfers/access are prohibited unless certain conditions are met. Principally, this would be if the country in question has an adequate level of protection.
The ICO (Information Commissioners Office) has already said that the DPA (Data Protection Act) is out of date. Indications are that whatever comes along to replace it outside of GDPR would be of a similar level of robustness to enable the cross-border access mentioned above. UK organisations need to be thinking about getting GDPR compliant but (aside from it being good data security practice anyway) this won’t be wasted when the UK finally leave.
Moreover, an awful lot of UK organisations will hold data on non-UK EU data subjects so would still need to abide by the GRPR in these cases whatever happens.
The UK leaving the EU will bring about some changes, arguably some for better and some for worse. GDPR won’t be one of them however and is here for the long term so we need to start preparing for it now.
I think the Information Commissioner, Elizabeth Denham, summed it up best in January this year. “There is a lot in the GDPR you’ll recognise from the current law, but make no mistake this one is a game changer for everyone.”