Viewpoint: Brexit Can’t Save U.K. from Data Protection Regs
Whether or not you voted for Brexit, whether or not you believe it’s a done deal, there’s one thing post-referendum that surely isn’t up for debate. For British companies wanting to trade with Europe, the bureaucracy of Brussels isn’t going away. And that particularly applies to data protection.
Some business people may well have heaved a sigh of relief on June 24th at the thought that GDPR (General Data Protection Regulation), the tough new European data protection regulation that was adopted in April 2016 and comes into force in May 2018, would no longer apply in the U.K. That idea was based on the premise that the important thing is where the data is stored.
Unfortunately, that’s not true under GDPR. What matters is whether the data concerns EU citizens, irrespective of where it is stored.
Current U.K. data protection legislation comes from the Data Protection Act 1998, based on the 1995 Data Protection Directive. That will be superseded in Europe by GDPR less than two years from now. In other words, even if Article 50 were notified right now—that is, the treaty that will govern Brexit—GDPR would come into force before the Article 50 two-year post-notification period runs out. Because GDPR is a regulation and not a directive, it does not require enabling national legislation to become law. That means it will apply in the United Kingdom, whether we like it or not.
Even once Brexit is fully negotiated and implemented, the chances are that the U.K. will either have to comply with GDPR or implement data protection legislation of its own that the EU deems adequate (i.e. the same or very similar) if it wishes to keep trading with the European Union. This is likely to be equally applicable to the Network and Information Security Directive, which focuses on cybersecurity and has until May 2018 to be implemented in national law.
So, if U.K. businesses have any ambition to continue selling to European customers, viewing Brexit as an opportunity to side-step data protection obligations is a serious mistake. Despite the GDPR’s short term disruption, the regulation is likely to have a positive impact on data security industry. It will accelerate the modernization of Europe’s data security practices and enforce consistency of approach between EU member states. Nonetheless, it will require European business of all sizes to take a very close look at their security, including those in the UK. From both commercial and practical perspectives, preparations must continue. Regardless of what you make of either Brexit or GDPR, businesses in the UK have no choice but to keep pace with the regulation.
Chris Russell, chief technology officer at Swivel Secure, has over 25 years of experience in product and software development. He joined Swivel Secure from O2, where he had overall technical responsibility for a portfolio of m-commerce websites and the platforms that delivered them. At O2 he delivered a range of product improvements that lead to significant revenue increase. Prior to that Chris worked for British Telecom at their R&D Labs at Martlesham Heathuse.
In Viewpoints, payments professionals share their perspectives on the industry. Paybefore presents many points of view to offer readers new insights and information. The opinions expressed in Viewpoints are not necessarily those of Paybefore.