Rely on the most comprehensive, up-to-date legal content designed and curated by lawyers for lawyers
Work faster and smarter to improve your drafting productivity without increasing risk
Accelerate the creation and use of high quality and trusted legal documents and forms
Streamline how you manage your legal business with proven tools and processes
Manage risk and compliance in your organisation to reduce your risk profile
Stay up to date and informed with insights from our trusted experts, news and information sources
Access the best content in the industry, effortlessly — confident that your news is trustworthy and up to date.
With over 30 practice areas, we have all bases covered. Find out how we can help
Our trusted tax intelligence solutions, highly-regarded exam training and education materials help guide and tutor Tax professionals
Regulatory, business information and analytics solutions that help professionals make better decisions
A leading provider of software platforms for professional services firms
In-depth analysis, commentary and practical information to help you protect your business
LexisNexis Blogs shed light on topics affecting the legal profession and the issues you're facing
Legal professionals trust us to help navigate change. Find out how we help ensure they exceed expectations
Lex Chat is a LexisNexis current affairs podcast sharing insights on topics for the legal profession
Printer Friendly Version
In the current post-referendum/pre-Brexit world there is plenty of speculation on the future of data protection in the UK.
For some, lowering the Union Flag in Brussels, folding it neatly into a diplomatic bag and hurling it into the hold of the next flight back to London, will give us the power to do what we want. We will have the power to draft our own data protection laws.
We will have the power to draft our own international data transfer arrangements. We will, in effect, be able to take back control of our data protection laws.
What’s to stop us, for example, entering into a more flexible framework like the new EU-US Privacy Shield? This would mean, post-Brexit,
we’d be free to transfer personal data to and from the other 27 member states of the EU without the pettifogging red tape of its new data protection regime, the General Data Protection Regulation (GDPR), which applies from 25 May 2018.
We could devise our own flexible, light-touch regime.
Game, set and match to the UK!
Others say that the only way forward is full compliance with the GDPR, or as near to full compliance as is humanly possible. No ifs and no buts: if we want to continue trading with the rest of the EU in some form, there is no alternative.
The reality is that the UK’s room for manoeuvre is limited for many reasons; some of which have been overlooked in the fog of war since the vote to leave the EU. In the battle to understand where our ‘troops’ are placed, we seem to have
forgotten that they are not all in Brussels. While we may be abandoning the Belgium capital—to what degree is yet to be determined - we still have a large battalion deployed some 300 miles down the road at the Council of Europe in Strasbourg.
Brexit may well mean Brexit but, as the Prime Minister confirmed on the day she launched her bid to be Tory leader, there are no plans to stray from Strasbourg.
Many may have forgotten that the Council of Europe is not the same as the EU’s European Council or Council of the European Union. Things aren’t helped by all these European institutions having the same flag: the circle of twelve gold stars
on an azure background. (Is it any wonder people get lost in this institutional maze? It is like the Houses of Parliament in the UK sitting alongside two independent bodies named the ‘Parliamentary House’ and the ‘Houses of UK Parliament’
with some or all of them passing laws on the same subject to varying degrees.)
So, putting aside this natural confusion, why does this matter?
Quite simply, the Council of Europe also has the power to legislate on data protection matters and, what’s more, has already done so.
In simple terms, this means that the UK will not be taking back control of any data protection laws from Strasbourg. Indeed, a UK Privacy Shield is arguably a non-starter since it would be unlikely to comply with the Council of Europe’s rules on
data protection: the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.
When this little-known legal instrument was ratified by the UK, on 26 August 1987, Rick Astley was at number 1 with his hit tune, ‘Never gonna give you up’. Perhaps this is now a prediction of the UK’s future relationship with the GDPR?
It is clear that the odds are currently stacked against a compelling UK alternative to the GDPR, particularly given that these new EU rules are based on parts of the convention. Any UK data law, if one is required depending on our future relationship
with the EU, would likely need to borrow heavily from the GDPR.
Perhaps, ultimately, we’ll see a slightly tweaked General Data Protection Act or ‘GDPA’?
Moreover, for a short—or not so short—period between 25 May 2018 and Brexit Day (I hesitate to use ‘B-Day’. I’ll let you work out why) the UK will still be a EU member state. Any UK organisation will be subject to fines of
up to 4% of its worldwide annual turnover or €20 million, whichever is higher, for breaching the new data rules. Present this stark fact to any board member and watch the blood drain from their faces quicker than they can mumble ‘GDPR compliance’.
So, what to do?
The simple and most practical answer is to work on the basis that the GDPR will apply to the UK. Given that we don’t know when Brexit will take place and the form that it will take, the interim period during which time the GDPR is in force in the
UK is likely to be longer than many people imagine. And that’s not forgetting that many organisations will still need to comply with the new regime anyway as they have operations in Europe.
Giving up the GDPR will be hard to do – adding a layer of meaning to Rick Astley’s number 1 single that nobody could have foreseen.
0330 161 1234