Brexit won't provide escape route from new EU data protection rules

Lawyers warn that GDPR is coming regardless of what happens in June referendum vote

Regardless of the result of the UK's referendum on continuing membership of the European Union, organisations must still be prepared to implement the recently passed General Data Protection Regulation (GDPR).

The GDPR has been more than four years in the making, with the European Parliament only finally voting in favour last Thursday. The vote means that the GDPR should come into force during 2018, giving organisations just two years to adjust to the new rules governing data collection and processing. These include:

• Fines up to four per cent of annual turnover for breaching the GDPR, or €20m, whichever is greater;
• Requirement for dedicated data protection officers in firms with over 250 employees;
• A right to data portability that lets citizens move data out of a company's database.

Such measures could well be seen as onerous, particularly for firms that already see the EU as creating unnecessary burdens and red tape for their operations. So a vote to leave Europe could be seen as a chance to escape from under the yoke of the GDPR.

However, Mark Thompson, privacy practice leader at KPMG UK, warned that any organisation with this view is mistaken.

"The hope is that the heavy fines and onerous new requirements introduced by the GDPR won't be applicable to them if Britain leaves the EU. Some might argue that this would be an additional benefit for businesses in the event of a Brexit," he said.

"[However] should Brexit happen, the GDPR, or something very close to it, is likely to be passed in the UK. The reality is that Britain needs to trade with the EU, and trade these days is increasingly reliant on personal information."

Rob Sheldon, a partner in Fieldfisher's Manchester office, agreed with this, noting that UK businesses will still have to comply with GDPR whatever the outcome of the referendum.

"Post-Brexit, UK companies doing business in the EU, or with companies in the EU, will effectively have to comply with the GDPR in the same way that other non-EU companies must comply, such as when they aim goods or services at citizens in the EU, or provide hosting services for companies in the EU," he said.

"As with the EU/US position currently, doing business with companies in the UK may become more difficult from a data protection compliance perspective post-Brexit (unless there is an adequacy decision, which would be dictated by the UK's data protection laws post-Brexit and whether or not they're equivalent to the GDPR)."

The silver lining for firms wary of the GDPR is that the law is unlikely to start being enforced until 2018, providing some breathing space to get the necessary processes in place.