Now the UK has decided to leave the EU, what impact will this have on organisations and compliance with the pending data protection reforms in the General Data Protection Regulation (GDPR)?

It is important to note that the result won’t change anything immediately. It is certain that data protection reforms in the UK will continue to be heavily influenced by EU laws. The UK data protection authority, the Information Commissioner’s Office (ICO) has highlighted this and also stressed that the Data Protection Act 1998 remains the law irrespective of the referendum result.

Agreement on the terms and the timing of withdrawal from the union is the next step in the process for exiting the EU. The precise nature of a post-Brexit UK-EU relationship will be a critical influence on how closely the UK will follow the letter and spirit of the rules in the Regulation.

So why do you need to continue to prepare for the GDPR when the nature of the new UK-EU relationship is unknown? Here are some good reasons why!

1. GDPR is a regulation and is likely to come into force before we leave the EU– As such it is directly applicable with no need for national laws to implement the requirements. It will automatically come into force in all 28 EU Member States from 25 May, 2018. Based on current indications on the timing of the UK’s exit, the GDPR is likely to come into force automatically before the UK will have been able to leave the EU.

2. GDPR requires adequacy for cross-border data transfers outside the EU- After leaving the EU the UK will need to ensure that it has an adequate level of data protection in order to continue cross-border trade with EU countries. This will need to mirror GDPR requirements.

3. GDPR has a long arm – The GDPR has long extra-territorial reach and applies to all organisations monitoring or processing personal data of EU residents, regardless as to where the organisation is located. Businesses which offer goods or services across borders or monitor activities of EU residents will still be covered by the EU data protection laws.

4. Data protection is vital for consumer trust – Embedding privacy at all stages and all touch points in the data journey must continue to be an overriding and primary consideration for businesses. As awareness of data protections and rights increases, the commercial implications and reputational impact means that all industries must focus on securing consumer and customer trust.

So you need to take action now to ensure that your data protection standards are raised to GDPR equivalent standards. Preparing for compliance remains vital to avoid the robust penalty regime.

Our top GDPR compliance tips are available here and in light of Brexit some additional steps to take are:

- Identify your organisation’s personal data flows from the EU to the UK. These will need to be based on new adequate safeguard measures if the UK leaves the EU and is outside the European Economic Area (EEA).

- Identify those activities that involve processing of data subjects in other EU member states. These will fall fully within the GDPR in light of its extra territorial scope.

- Monitor the ICO’s guidance on Brexit and GDPR and stay close to MRS for advice on developments.

- Update organisational plans as and when new guidance is released.

We wait to see the level of reforms that the UK Government will make to data protection, in light of the flexibility that leaving the EU may provide, but the direction of travel remains the same and the Fair Data team will continue to provide compliance advice and assistance. So as has often been quoted recently Stay Calm and Carry On!

Get the latest MRS news

Our newsletters cover the latest MRS events, policy updates and research news.