On Sunday Theresa May finally fired the starting gun for the process for the UK to leave the European Union. Article 50 of the Lisbon Treaty will be invoked “no later than the end of March next year” she told the Tory Party conference in Birmingham. This will give negotiators two years from the date of notification to conclude trading arrangements with Europe. Unless an earlier date is negotiated (very unlikely given the scale of the task), by April 2019 the UK will be on its own and no longer subject to EU laws.
The Prime Minister also promised a “Great Repeal Bill” in the next Queen’s Speech, to remove the European Communities Act 1972 from the statute book and enshrine all existing EU law into British law on the day of exit. There will then be a process whereby the vast amount of domesticated EU legislation will be sifted. The “good laws” will be retained, some laws amended and some excised from UK law altogether.
What impact do these announcements have on UK Data Controllers who are planning for implementation of the new General Data Protection Regulation (GDPR)? The answer in a nutshell (as I said in my July GDPR and Brexit blog post) is; keep calm and carry on (preparing)!
We now know that, whatever happens, UK Data Controllers will have to comply with GDPR for at least ten months. GDPR comes into force on 25th May 2018 but the Article 50 announcement means we will be in the EU (and subject to all its laws including GDPR) until at least the end of March 2019. Article 50 (3) states:
“The Treaties shall cease to apply to the State in question from the date of entry into force of the withdrawal agreement or, failing that, two years after the notification referred to in paragraph 2, unless the European Council, in agreement with the Member State concerned, unanimously decides to extend this period.”
However it seems now much more likely that UK Data Controllers will have to comply with GDPR for much longer beyond March 2019 (perhaps even indefinitely). The Great Repeal Bill (if it is passed by Parliament) will implement the GDPR along with other EU legislation into our law on exit day. The Government must then decide to keep GDPR, amend it or go back to the drawing board. Practically speaking, keeping GDPR is the only option. Civil servants will have their work cut out examining 80,000 pages of EU agreements. At least with GDPR there is broad agreement amongst stakeholders including the ICO (see below) that it is a force for good.
Recently, in her first speech as the new UK Information Commissioner, Elizabeth Denham extolled the virtues of GDPR and reiterated the need to prepare for it regardless of the uncertainly about what the future relationship with the EU will look like. She also said in a BBC interview:
“The UK is going to want to continue to do business with Europe”.
“In order for British businesses to share information and provide services for EU consumers, the law has to be equivalent.
“The UK was very involved in the drafting of the regulation – it will likely be in effect before the UK leaves the European Union – so I’m concerned about a start and stop regulatory environment.”
Many of GDPR’s key provisions provisions such as breach notification and the new DP Principles will require careful planning. With some GDPR breaches carrying fines of up to 4% of global annual turnover or 20 million Euros, a “wait and see” approach would be very risky. Brexit from the EU does not mean Brexit from the GDPR.
Act Now Can Help
We are running a series of GDPR webinars and workshops and our team of experts is available to come to your organisation to deliver customised data protection/GDPR workshops as well as to carry out health checks and audits. GDPR requires many Data Controllers to appoint a dedicated Data Protection Officer. Our GDPR Practitioner Certificate (GDPR.Cert), with an emphasis on the practical skills requited to implement GDPR, is an ideal qualification for those aspiring for such positions.