No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

Will Brexit Bust GDPR?

by Nick Henderson-Mayo
March 8, 2017
in Data Privacy, Featured
pie-shaped UK flag being removed from EU circle

4 Things That Could Happen Next

How big an impact is Brexit going to have on GDPR? The U.K. government has already committed to bringing the new European data protection regulations fully into force in 2018, but without any post-Brexit deal, could the U.K. find itself stranded on a data protection desert island?

The EU’s General Data Protection Regulation is due to come into force across the bloc on May 25, 2018. It is the biggest shakeup in data protection law for 20 years. The rights of people to access and protect their data will be strengthened, more rules for business added on how to manage and safeguard data, stricter data protection training requirements and much harsher penalties implemented for getting it wrong.

Brexit has caused a wave of uncertainty about how GDPR might be implemented in the U.K. and what might happen once the U.K. is out of the EU.

What We Know Now

The U.K. government has signalled its intention to trigger Article 50 before the end of March 2017, kicking off the two-year countdown to the official exit from the EU. Barring further changes, the U.K. should have left the EU by April 2019. Assuming that the U.K. remains a full member of the EU until that date, GDPR will automatically apply to the U.K. in 2018.

Both the Information Commissioner’s Office (ICO) and the U.K. government have indicated that GDPR will be implemented regardless of the U.K.’s eventual relationship with the EU.

The U.K. has a strong data protection record itself. Britain’s ICO was the original instigator of GDPR, identifying the need to update data protection law back in 2009. The U.K. is also a world leader in data systems, cybersecurity and privacy law. However, research by KPMG has shown over 60 percent of CEOs are concerned about British privacy regulations becoming out of step with the EU after Brexit and impacting their business.

Full Compliance

To maintain full compliance with GDPR, the U.K. must maintain an adequate level of protection for individuals. That means someone in France, Spain or the U.K. must have a very similar level of data protection and expect companies and nations to look after their data in broadly the same way. To maintain full compliance, there cannot be too much change in how a citizen experiences data protection from one country to another.

There are national derogations available under GDPR, but these are limited in scope to issues like national security, judicial independence and religious exemptions. In addition, any restriction must still respect fundamental freedoms and remain necessary and proportionate.

Not all the rules of GDPR have been finalised. A group known as the Article 29 Working Party is currently writing guidelines on everything from who will need a DPO to the right of data portability. After the implementation of GDPR, the Working Party will become the European Data Protection Board, made up of a representative from each EU member state. It will continue to write guidance and coordinate enforcement across the EU and potentially alter the way GDPR should be implemented.

After Brexit, the U.K.’s ICO may no longer have a seat on the Data Protection Board. To remain compliant, the U.K. could end up having to implement decisions of the board without having a say.

The problem is how to incorporate all these individual changes and adaptations without the need for constant legislation. To maintain full compliance, the U.K. may have to devise a system to automatically implement GDPR developments which take place in Europe. However, this leaves the possibility that a post-Brexit EU moves faster and further with data protection, no longer bogged down by British objections. This could force the U.K. to implement GDPR decisions it might not like in order to maintain full compliance. If not, a two-tier, partial compliance system could emerge. On the other hand, full compliance might not be too difficult. The current eight principles of data protection remain the same under GDPR, and the U.K. in general has strict data protection laws.

Partial Compliance

Partial compliance with GDPR could emerge from a situation where the U.K. keeps the regulation on the statute books after Brexit but doesn’t keep pace with any changes as they develop.

The Prime Minister plans to incorporate the body of European law into U.K. law in a “Great Repeal Bill,” and then decide which laws to keep and which to, well, repeal. With no automatic mechanism to keep up with changes in EU rules, a two-tier system could be the only option. This might mean U.K.-based companies with business in the EU complying with GDPR internally but operating under a different standard for its British operations.

Some of the more stringent GDPR requirements, such as 72-hour breach notification, unrestricted right of access and the right to be forgotten may be without a home in post-Brexit Britain, but remain part of EU rules. Companies will have to prepare for the potential increased workload and confusion that may result in trying to comply with two different systems at the same time.

While some companies and politicians may be keen to drop a number of GDPR requirements as soon as possible, partial compliance creates its own problems. Too much tinkering with the rights of data subjects, or stepping too far away from the protection of fundamental rights that GDPR is based on, could leave the U.K. and EU data protection regimes in a state of divergence.

Divergence

The U.K.’s divergence from GDPR would mean a significant and material shift away from European standards of data protection. This could happen if the U.K. rejects GDPR wholesale and instead keeps the Data Protection Act instead. Another scenario is that GDPR is implemented, but after Brexit, it’s repealed or amended beyond recognition.

However, a legislative separation might not necessarily mean divergence. U.K. case law has been catching up with European concepts of privacy. In a recent Court of Appeal case, Google vs. Vidal Hall, the U.K. court found a right to claim compensation from a data protection breach without having to prove financial loss. However, this ruling was made by applying EU law, so Brexit may end up narrowing the scope of how British judges interpret data protection.

There is always the possibility that the U.K. may diverge from GDPR but toward even greater protections. The U.K. is already a world leader in data protection and has taken pioneering decisions in other areas of compliance, such as the Modern Slavery Act.

Divergence in this direction matters less than divergence the other way. If the U.K. and EU data protection systems become too different, the U.K. could be in danger of losing its adequacy determination, making data transfers from the EU to the U.K. technically illegal. Even if the U.K. maintains full compliance with GDPR, there is still a possibility that Brexit could threaten the U.K.’s adequacy determination.

Brexit: Deal or No Deal?

Regardless of what the U.K. does with GDPR after Brexit, the biggest threat to data protection is from an exit from the EU without any deal. This is the so-called hard Brexit and fallback to WTO rules until a further agreement is reached, or not. It’s the kind of Brexit Theresa May and many inside the Conservative party and Leave camp have called for. As we have seen, the crucial component for the U.K. after Brexit is to be judged as offering an adequate level of protection by the European Commission.

A hard Brexit with no deal means no assessment of adequacy. Furthermore, the U.K. cannot apply to the European Commission for an assessment of adequacy; that determination can only be given by the Commission itself. If the negotiations turned sour and both parties decided to walk away with no deal, perhaps due to the estimated €60 billion leaving bill, there might not be much goodwill left to speed up a U.K. adequacy determination for GDPR.

Without any sort of bridging deal, transferring data from the EU to the U.K. could be seen in the same way as transferring data to Zimbabwe. Data transfers to the U.K. could be technically illegal. This, of course, would imperil the economies on both sides of the channel, but it’s a serious risk if there is no deal or transitional arrangement in place.

Canada was judged to offer an adequate level of protection following the conclusion of CETA – the EU/Canada free trade deal; and adequacy is offered to a handful of other countries including the Channel Islands, New Zealand, Israel and Argentina.

Data transfers to the U.S. take place through auspices of the EU-US Privacy Shield, which American companies can sign up for to demonstrate they offer an adequate level of protection. This was hastily put together after the previous Safe Harbour scheme was ruled as being inadequate by the European court. It may be that in the event of a no-deal Brexit, the U.K. can join the privacy shield, allowing companies a one-step registration process to essentially continue doing what they will already have been doing right up until the formal exit from the EU.

But the question of whether the Privacy Shield will survive President Trump has become another reason to worry what the next few years will mean for data protection.


Tags: BrexitGDPR
Previous Post

When it Comes to Fraud and Corruption, Organizations Prone to Believe “Alternative Facts”

Next Post

The COSO Internal Control Cube Can be as Daunting as Rubik’s Cube

Nick Henderson-Mayo

Nick Henderson-Mayo

nick-hendersonNick Henderson-Mayo is director of learning and content at compliance eLearning and software provider VinciWorks. He has played an important role in developing VinciWorks’ most interactive and customizable courses covering topics like ESG, anti-bribery, anti-money laundering, GDPR, diversity, mental health, health and safety and more. Nick is a policy expert with a background in public, voluntary and private sectors and has expert-level knowledge across a wide range of areas.

Related Posts

origami tiger

Paper Tigers Won’t Protect You: The Reality of Effective NIS2 Compliance

by Hans Kayaert
March 24, 2025

Why Belgium's early adoption model could prevent another round of ‘compliance theater’ across Europe

examining data on laptop screen

Privacy Rights Surge Forces Rethink of Data Management

by Gal Ringel
March 14, 2025

As global privacy regulations multiply, organizations face mounting pressure to efficiently respond to data subject requests amid complex data environments

gdpr website screenshot

In the World of JavaScript, GDPR Consent Forms Merely Scratching the Surface

by Rui Ribeiro
December 16, 2024

Consent forms alone don’t mean much when consumers are so tired of checking boxes they don’t even read the policies

us map black and white

Minnesota Latest State to OK Consumer Data Privacy Law

by Amanda Novak
August 26, 2024

Measure set to go into effect for most covered entities next summer

Next Post
rubik's cube

The COSO Internal Control Cube Can be as Daunting as Rubik’s Cube

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights