It may seem logical to assume the General Data Protection Regulation (GDPR), or EU data law, will no longer apply to the UK when it is introduced in May 2018, but it is nowhere near as straightforward as that.
Despite the vote to leave the EU, sales departments have not seen the back of the European regulation because the UK Government may find it easier to stick with its introduction rather than to stay with or amend the current Data Protection Act.
Understanding whether or not to prepare for GDPR is important because there is a considerable amount of time, money and effort needed to prepare for it, and the Information Commissioners Office (ICO) has been given heavyweight powers and sanctions to enforce it should the data law come into effect.
The ICO itself is currently being non-committal on the subject, but has issued a statement that says that if GDPR is not adopted then a UK Data Act will have to match it:
‘If the UK wants to trade with the Single Market on equal terms we would have to prove 'adequacy' - in other words UK data protection standards would have to be equivalent to the EU's General Data Protection Regulation framework starting in 2018.’
However, adoption of GDPR is already written into UK law by Parliament, and unless it is repealed it will come into being in less than two years, which will be well within the time it will take to conclude a new trade agreement with the EU. What is more, any agreement will almost inevitably include data handling requirements.
Because of this Westminster may decide it is logical to leave the forthcoming act as it is based on the fact that the European Economic Area Agreement (EEA) requires GDPR compliance. The three EEA member countries, Norway, Iceland, and Liechtenstein, become subject to the regulation at the same time as the 27 EU countries.
It is understood that Brexit leave campaigners rejected EEA because of the free movement of people and financial contribution requirements, but never-the-less, any trade deal negotiated is likely to have the EU data regulation built in. Switzerland and Israel adopted the 1995 European Data Directive in order to trade with the EU more freely, and may well decided to maintain their compliant status. It would be logical for the UK to do the same even if a trade deal did not actually stipulate adoption. Also, UK negotiators may take the position that withdrawing GDPR from statute would send a negative message to their EU counterpart, and advise government to keep it to timetable on the legislative books.
For the time being the current domestic data protection law remains in force, and there are options companies can adopt to manage the uncertainty about the future. UK companies that trade in Europe can create a clear separation between UK and EU operations by adopting a data firewall when processing information. This means implementing a two track system, and it is something many international companies have to do when having contact with consumers in different countries and continents. For a UK only operation with direct sales to EU consumers, the requirements will mainly be to include consent to data transfer in sales contracts, and follow the data protection requirements.
But what this does not take into account is the fact that the EU will almost certainly insist on a separate data transfer agreement with the UK similar to the Privacy Shield with the United States. Although there is still some debate about whether Privacy Shield will last the test of time due to potential unresolved flaws, it would anyway be incompatible with the Investigatory Powers Bill (Snoopers' Charter). The government would have to amend or repeal the Investigatory Powers legislation, or it may mean that European companies have to limit severely how they share personal data with their UK partners, customers and buyers.
Once negotiation on data transfer begins it is likely that an agreement could be reached relatively quickly. When Safe Harbour was ruled as incompatible with EU law it was months rather than years before an alternative was agreed between the EU and United States.
However, cross border data transfer is primarily the concern of large international businesses. What is of importance to most sales departments is GDPR, which is almost certainly a long way down the list for negotiation between the UK and the EU, and it is likely that there is going to be uncertainty about it for some time.
This begs the question about whether sales managers should start preparing for what might happen. Given that GDPR is written into statute to become law with no indication that it will be withdrawn, plus the fact that any type of EEA based deal is almost certain to require its implementation, the least that should done is to plan for it.
But there is another way of looking at the situation, and that is to approach the question from a monetary perspective. How much will it cost to be ready for GDPR vs. a fine from the ICO and damage to reputation. Given the draconian powers the ICO will have under the EU law, and heightened sensitivity of consumers to data breaches it may be best to be prepared come May 2018.
By Dene Walsh, Operations and Compliance Director Verso Group, premier multi-channel lead generation and data provider delivering high quality, high impact sales leads that convert with velocity and ROI.