My colleagues at Howard Kennedy (@howardkennedy_ ) and I presented a breakfast seminar this morning on the new EU General Data Protection Regulation.
One of the things we spoke about was the effect of the UK voting to leave the EU next Thursday. If that Brexit happens, would the GDPR still be relevant to us, since it does not come into force until 2018?
Our conclusion is that it would still be highly relevant to UK businesses. If we leave the EU and join the EEA (European Economic Area) we would be obliged to adopt European data protection standards. All the current members of the EEA have to abide by the existing Data Protection Directive as a condition of being part of the EEA.
Further, unlike the current law, the new GDPR applies to all Data Controllers based completely outside of the EEA, if they monitor or provide goods or services to individuals in the EU. So, assuming we still want to sell to Europe, the UK would be caught even if we sever political ties with the Continent completely.
It seems the Information Commissioner's Office agrees with this viewpoint. See quote below. There's no escape from the GDPR!
Iain Bourne, group manager at the Information Commissioner's Office, said during a panel discussion at Infosecurity Europe in London that UK organisations will have to abide by the GDPR, or very similar UK legislation, if the country stays in or leaves the EU.