Until the UK exits the EU in March 2019, it will be subject to the EU data protection regulations, namely the General Data Protection Regulation (GDPR) which comes into force on 25 May 2018 and in negotiations for which the UK played an active part.
The new rules strengthen rights and empower individuals by giving them more control over their personal data. For example, the general public will have the right to be forgotten (RTBF) and for their data to be deleted if certain conditions are met.
However, post-Brexit Britain will have to have their own legislation in place and it must be in lock-step with the EU rules in order to keep trading with the EU.
The UK is a big player in global data flows. According to the paper published by the UK government in summer 2017, 75% of the UK’s cross-border data flows are with EU countries and worth billions of pounds in trade. To avoid any disruptions and economic losses, Britain must prove that their data protection framework is adequate to allow for a free flow of personal data between UK businesses and the EEA countries.
The UK Data Protection Bill was introduced to the House of Lords in September 2017, that would ensure that the UK’s framework is aligned with the updated EU legal framework at the date of withdrawal. It was introduced to the House of Commons for debates in March 2018.
Although the UK DPB and the EU GDPR go hand in hand in their commitment to ensure a robust privacy environment, there are some differences:
- Some organizations, e.g. Home Office, would be exempt by the DPB from handing over information they hold if it would undermine immigration control in force.
- Data breaches by organizations in the UK could be penalised for up to 4 percent of annual global turnover in the preceding financial year or maximum of €20M.
However, until the Bill turns into an Act, nothing is set in stone.