The GDPR is set to replace existing data protection laws in the UK and across the other 27 member states of the EU in an attempt to make them more in tune with the digital age. On 7th July digital trade body the Internet Advertising Bureau (IAB) invited Ruth Birdman from law firm Bird & Bird, Iain Bourne from the UK Information Commissioner’s Office (ICO) and Yves Schwarzbart, Head of Policy & Regulatory Affairs, IAB UK to talk about this in light of the UK’s recent EU referendum.
What the event covered:
During the talk it was clear that there is much unknown about what data protection law will look like due to the uncertainty surrounding the UK’s future relationship with the rest of Europe. The UK at some point will have to trigger Article 50 and begin proceedings to exit the EU within two years. This makes any legislative relationship British firms have with the EU certain to change.
The dates of the final Brexit and the incoming GDPR are likely to overlap by about six or seven months. This has led both the IAB and the official data regulator, the Information Commissioner’s Office (ICO), to officially advise that UK firms stick to the current plan and make significant steps to complying with the new Regulation.
Both have issued initial commentary, the IAB identifying a six point plan and the ICO a 12 stage guide. It is also important to remember that any company operating across EU member state borders will also need to comply anyway.
The General Data Protection Regulation (GDPR), it is an attempt by the EU to unify current national data protection rules. Much like other national data protection Regulation it applies at the point of processing data: if your company collects data on users it will almost certainly apply to your organisation.
As a Regulation there is no ambiguity about how it is transposed into national law, the text of the law will directly apply unlike a Directive (such as the so-called ‘Cookie Directive’ that allowed for flexible interpretation). Also the GDPR isn’t just limited to digital data protection, it covers all areas from medical records to how a company may choose to market to you.
What could happen to UK data Law?
It was discussed that at the moment, UK firms are currently subject to the current Data Protection Act (DPA) and this for the time being will not change. It is unlikely to change straight away even after the exit from the EU is finalised. What our data protection laws could look like in the future will ultimately depend on the outcome of the exit negotiations and what the UK’s relationship with the EU will be like after.
The UK could, for example, become a member of the European Economic Area (EEA), which would mean that GDPR would be enforced in its majority, but not completely.
The speakers also highlighted the possibility that we could become a member of the European Free Trade Association (EFTA) like Norway or Switzerland meaning we wouldn’t have to interpret the GDPR agreement directly but would probably have to in some way.
Additionally, the UK could look to create our own Customs Union, which would give us freedom to choose our own data laws or finally we could join Albania and become part of the Council of Europe, which would again mean we would need some sort of legislation in the UK.
It’s worth remembering the ICO has already stated they will seek an ‘adequacy’ agreement in order to harmonise UK law as much with the rest of the EU regardless of the outcome.
The key theme from the event was that whatever happens within the wider EU negotiations and what the overall Brexit relationship will look like, it is important to remember that the UK will almost certainly adopt some form of newly revised data regulation. How this will look will be unclear, but if you comply with the GDPR you will most likely be in a stronger position moving into any future scenario around data protection.
For digital marketing companies the advice for the moment is continue as before. In this age of uncertainty, it is the only guarantee of future compliance.