“Hello, I must be going, I cannot stay,
I came to say, I must be going.
I’m glad I came, but just the same,
I must be going.”
Like the Groucho Marx song there has been a lot of vocal opinion makers turning circles around what a leave or remain vote will mean for the United Kingdom and the rest of Europe. The question for IT professionals is how they should plan for the upcoming enforcement deadline for the European General Data Protection Regulation (GDPR)?
Does GDPR matter if the UK leaves the EU?
The answer is may be less complex than many organizations may think. There are discussions of the Norway option versus World Trade Organization regimes should the UK leave the EU. Some analysts point out that if the UK leaves the EU but remains part of the European Economic Area (Norway option) then both the European Data Protection Directive and GDPR will still be in force – UK firms will have to continue to plan for GDPR readiness.
If the UK exits without any trade agreement with Europe (WTO option) then theoretically Britain can pass data protection regulations that don’t align to the protections, requirements and fines detailed in the GDPR. Eventually, the UK would need to negotiate a data transfer arrangement with Europe similar to the effort the US and Europe have around Privacy Shield (an initiative fraught with difficulties).
Why do these scenarios miss the larger point?
GDPR rules are not triggered by where your firm is registered or where the data resides but who is the ‘data subject’. If data is stored or processed about individuals residing in the EU then your firm falls under GDPR scope. Even if your company does not handle personal data there is an argument that any data you may hold or process that can help identify EU individuals also falls under the scope of the GDPR. Your company does not need to have offices or subsidiaries in the EU to be impacted by the GDPR.
Given the interconnected business environment across Europe a large percentage UK firms offer goods and services to individuals in the EU and track their interest and purchases for marketing and customer service. The extraterritorial reach of GDRP is so extensive because it greatly expands the definition of personal data and because it regulates any processing of data covering EU individuals no matter where it occurs. The individuals do not need to be EU citizens; anyone located in the EU region is entitled to the new privacy protections.
The bottom line is that most UK firms (like their US counterparts) need to plan for the more stringent privacy rules detailed in the GDPR. Even if the UK leaves the EU the new reality of GDPR will remain.