Data protection post Brexit

Recently Elizabeth Denham, the UK Information Commissioner, stated that despite Brexit there would be little if any change to the data protection law in the UK and more importantly that the General Data Protection Regulation (GDPR) will come into force well before the UK leaves the European Union.

There are questions already being raised about UK data protection law post Brexit and here are some thoughts and ideas for you.

Data protection principles

The current data protection law in the UK has 8 principles which reflect those outlined in current EU Data Protection Law as well as those reflected more internationally in framework such as the Fair Processing Principles in the United States and those in the OECD Guidelines on Privacy.

The UK will continue to base its law on the principles of fair and lawful processing, transparency and accountability, adherence to the rights of individuals, the provision of adequate technical and organisational security and controls on international data transfers.

International data transfers

The UK has always had a commercial approach to international data transfers and it has been permissible for a business to transfer business outside the UK to third countries outside the European Union provided that the company has carried out due diligence and is satisfied that the protection of the rights of individuals are adequately adduced. To that extent, even though GDPR allows for certain contractual models to be put in place to manage international data transfers, there is the possibility that post Brexit the regulator may allow the continuance of the notion of an adequacy assessment.

Having said all of that, for some while the UK Information Commissioner’s Office (ICO) has been looking to publish details of a privacy compliance seal and it is hoped that this may come into effect well before Brexit to enable companies to apply for a privacy seal from the ICO that would cover international data transfers as well as general compliance with data protection principles.

Right to be forgotten

The right to be forgotten or the right of erasure already exists in the EU as a result of the decision in the Gonzalez case in the European Court of Justice. Other Member States have accepted the right to be forgotten and indeed other countries including Japan have also decided that such a right is enforceable.

Post Brexit the UK is likely to uphold the right of erasure since it is an integral part of GDPR and will already be part of EU law.

Consent to processing

The notion of consent by individuals to legitimise processing their personal data is much focused upon and often it is overlooked that there are other ways of lawfully processing data. Whilst consent is an important principle under GDPR, so is the notion of “legitimate interests” or “legitimate purposes” by which a business may process personal data without consent if it is for legitimate purposes of the business and does not significantly harm the human rights or personal data rights of the individual.

As the UK has a major focus on the digital economy and particularly on developing technologies within big data analytics, the Internet of Things, smart cities and driverless cars, it may be expected that the ICO will work with industry to provide meaningful guidance around the “legitimate interests” exemption to enable all the benefits of new technologies to be applied for the good of the country whilst still protecting the rights of data subjects.

GDPR is coming, Brexit or not, and we have prepared a separate set of guidance for businesses on how to prepare for the future.