Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+

Personnel Today

Register
Log in
Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+

BrexitData protectionLegal opinion

EU referendum: no excuse to put off data protection preparations

by Sarah Thompson 7 Jun 2016
by Sarah Thompson 7 Jun 2016

Don’t wait until after the EU referendum to start preparing for the new EU data protection regulations, advises lawyer Sarah Thompson.

The EU General Data Protection Regulation (GDPR), which replaces the current Data Protection Directive, is due to come in in 2018. But any employers hoping that Brexit will remove the requirement for compliance with the GDPR will be sadly mistaken.

Data protection resources

General Data Protection Reguation comes into force

Data protection policy

Employment law manual: data protection

Whether we are in or out, the likelihood is that companies processing personal data will still need to observe the EU’s new data protection law, or equivalent UK legislation.

Of course, assuming we do vote to leave, the impact of Brexit on businesses and their processing of personal data will depend on how the Government decides to maintain our relationship with the EU.

We also know that the vote on 23 June will not mean that we leave the EU immediately and revoke all EU laws. There will be a two-year exit period during which negotiations will take place over the terms of the exit, and various transitional measures would have to be put in place.

As it stands

The UK’s current data protection regime is governed by the Data Protection Act 1998, which implemented the European Data Protection Directive into national law.

The GDPR is all set to be published this summer and will be applicable two years later (likely May 2018). It will harmonise data protection laws across all EU member states and will catch not only EU companies, but any company targeting EU citizens.

The excuse that a company does not have operations or processes personal data in the EU will not stand. Whether or not the GDPR will apply will depend on whether or not a business handles personal data of EU citizens, not whether or not it is located in the EU.

While the GDPR is similar in some parts as the current law, it does contain some significant changes.

These include new accountability obligations (including obligations to keep data processing records, appoint a data protection officer and conduct impact assessments for more risky processing) and new data breach reporting obligations.

It also imposes eye-watering fines for those who do not comply (up to 4% of annual worldwide turnover). Therefore, companies waiting for the results of the referendum could find themselves short on time to implement compliance programs before the 2018 deadline.

How Brexit would impact the law

Whatever happens in June, there will still be changes to the UK’s current data protection law. If we stay, we will be governed by the GDPR once enacted. If we leave, UK companies operating in EU countries or targeting EU citizens will still need to comply with the GDPR, but what is not yet clear is the nature of the UK’s own data protection law.

Businesses may hope that the Government enacts a new less burdensome data protection regime in the UK. Whether Brexit happens before or after the GDPR comes into force may determine its exact form.

However, it is likely that the UK would need to enact similar data protection laws to the GDPR. This is largely due to the restrictions on international data transfers.

In order to transfer personal data outside the European Economic Area (EEA) the recipient country must ensure an adequate level of protection, taking into consideration the data protection laws in force in that country and its international commitments.

So to enable free data transfers with the EEA, the UK would either need to become a member of the EEA or seek confirmation from the EU Commission that the UK is a “safe third country” to receive personal data from the EEA.

Either of these options would require that the UK data protection legislation to provide a level of protection essentially equivalent to that guaranteed by the GDPR.

If the UK does not become a member or the EEA or is not categorised as a “safe third country”, UK companies that transfer data to the EEA will need to consider changes to the way they transfer that data, which could include the implementation of standard contractual clauses or binding corporate rules, and could be a burdensome process.

What does this mean for businesses?

Sign up to our weekly round-up of HR news and guidance

Receive the Personnel Today Direct e-newsletter every Wednesday

OptOut
This field is for validation purposes and should be left unchanged.

If a leave vote occurs on 23 June, it is unlikely that it would create significant changes for businesses processing personal data in the UK. The UK will likely impose similar laws to those being enacted under the GDPR, at least for data transferred to and from the EEA.

In any event, UK businesses established in EU countries or who target EU citizens will still have to comply with the GDPR. Therefore, whether we stay or go, the best course of action for businesses is to continue to prepare for the GDPR; they need to be reviewing their existing compliance programs to make sure they can be updated or new ones implemented.

Sarah Thompson

Sarah Thompson is an associate in the employment practice of international firm McGuireWoods

previous post
Employment tribunals need radical overhaul, say lawyers
next post
Sports Direct’s Mike Ashley grilled on employment practices

You may also like

UK and EU agree to collaborate on ‘youth...

19 May 2025

‘Polygamous working’ is a minefield for HR

14 May 2025

M&S pauses hiring as it deals with cyber...

2 May 2025

Labour MPs urge more flexibility with EU over...

24 Apr 2025

Opposition to Supreme Court sex ruling is ‘wishful...

22 Apr 2025

Remote working may have triggered jump in employee...

17 Apr 2025

Trump’s tariffs to hit growth and jobs, warn...

3 Apr 2025

GMC ‘erases’ records on doctors who change gender

21 Feb 2025

Youth mobility scheme on the table for Starmer...

21 Feb 2025

Higgs’ victory has ‘profound’ implications for employers

12 Feb 2025

  • 2025 Employee Communications Report PROMOTED | HR and leadership...Read more
  • The Majority of Employees Have Their Eyes on Their Next Move PROMOTED | A staggering 65%...Read more
  • Prioritising performance management: Strategies for success (webinar) WEBINAR | In today’s fast-paced...Read more
  • Self-Leadership: The Key to Successful Organisations PROMOTED | Eletive is helping businesses...Read more
  • Retaining Female Talent: Four Ways to Reduce Workplace Drop Out PROMOTED | International Women’s Day...Read more

Personnel Today Jobs
 

Search Jobs

PERSONNEL TODAY

About us
Contact us
Browse all HR topics
Email newsletters
Content feeds
Cookies policy
Privacy policy
Terms and conditions

JOBS

Personnel Today Jobs
Post a job
Why advertise with us?

EVENTS & PRODUCTS

The Personnel Today Awards
The RAD Awards
Employee Benefits
Forum for Expatriate Management
OHW+
Whatmedia

ADVERTISING & PR

Advertising opportunities
Features list 2025

  • Facebook
  • Twitter
  • Instagram
  • Linkedin


© 2011 - 2025 DVV Media International Ltd

Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+