The referendum result raises an immediate practical question concerning data protection law. Given the prospect of Brexit, should organisations continue to prepare for compliance with the European General Data Protection Regulation (GDPR), scheduled to apply from 25 May 2018? In our view, the best advice (for the time being) is to continue with preparations either for compliance with the GDPR itself, or with UK legislation that would be likely to be in substantially the same form.
We do not yet know when the UK government will invoke Article 50 to begin the two year procedure for withdrawal from the EU, although October 2016 has been mooted as a possibility. Consequently, the UK will still be a member state and directly subject to the GDPR in May 2018. Even if the GDPR has direct application for only a short period, the risk of substantial sanctions for non-compliance would apply.
Even after the UK ceases to be a member state, the provisions of the GDPR will still be relevant to UK businesses for two reasons. First, the GDPR has extra-territorial effect – it applies to organisations outside the EU that offer goods and services to individuals in the EU or monitor their behaviour. Second, continued trade with the EU, and the exchange of personal data, will almost certainly depend upon adequate data protection laws being in place and an adequacy decision from the European Commission in respect of the UK. This would likely necessitate the adoption of the GDPR or laws equivalent to it to replace the current Data Protection Act.
Similar practical effects would be likely to occur if the UK were to negotiate any form of continued access to the single market, perhaps on the European Economic Area or "Norway" model. Any such deal would be likely to require the UK to sign up to the GDPR (or laws equivalent to it).
At a practical level, the legal analysis is arguably superfluous for businesses that operate across Europe; in an era of shared services and economies of scale through a standardised offering, many such business will likely need to consider the requirements of the GDPR, even if it is not applicable in the UK. For instance, if a UK member of a European group procures the services of a data processor for the benefit of the wider group, the requirements of the GDPR in terms of contractual provisions, cross-border transfers, apportionment of liability, etc, will still need to be considered and addressed.
Our advice is to continue to plan for compliance with the GDPR. On any currently credible projection, UK businesses will probably have to either comply with the GDPR itself, or with new UK legislation closely modelled upon it.
While this approach might risk over-compliance (and so each project will need to be considered on its facts), that risk pales alongside the substantial financial and business risks that would potentially attend non-compliance.