GDPR and edisclosure after Brexit
The EU General Data Protection Regulation (GDPR) is due to come into effect from May 2018. Now that the UK has voted to leave the EU, what will become of this regulation and what effects will it have on edisclosure?
The answer to this question will be determined by how the UK separates itself from the EU.
It could remain part of the European Economic Area (EEA) Agreement, and therefore the status quo would remain and nothing with regards to the GDPR would change. Edisclosure vendors would still need to comply with the GDPR. An alternative answer could be
that the UK does not remain a member of the EEA, which would create a lot of uncertainty and raise numerous questions.
First, will the UK create its
own version of the GDPR? Once article 50 of the Lisbon Treaty
has been signed and the UK's withdrawal has been negotiated, I believe that the UK will adopt something similar to the GDPR. The regulation was already agreed and it would make sense to implement the GDPR as a basis for any UK data protection legislation.
Whether a UK version would be as complex would be down
to the lawyers of this country, but making sure that any legislation takes a serious look
at maintaining the privacy of
UK nationals' personal data in
a modern world is imperative.
If the UK decides not to adopt the GDPR and only processes UK nationals' data, then the GDPR would have no effect on UK vendors. If an EU national
has data in a case, then, as I understand it, the GDPR would come into play.
Second, would UK vendors
be able to process EU data in
the UK? This will depend on whether the UK is considered
a safe third country or whether it will have to jump through hoops to achieve some form
of agreement, similar to the EU-US Privacy Shield. Alternatively, there might
be a spike in UK edisclosure vendors opening up offices in Europe with the sole purpose of processing EU data. If this sparks a trend, then the offices within the EU will most certainly have to comply with the GDPR. A transfer without an agreement would be considered a breach and could lead to hefty financial penalties.
It makes sense that UK edisclosure vendors should be prepared to comply with the GDPR until told otherwise. The risks of not complying are too costly, and hiding behind Brexit will not be a sensible approach. There are so many EU nationals in the UK whose data should be protected under GDPR that not complying or transferring data to the UK from the EU which would contravene the regulation could land an edisclosure vendor in hot water.
James Merritt is director of forensic technology and edisclosure at CityDocs @CityDocs www.citydocs.co.uk