It would be essential to take account of the views of the UK Information Commissioner’s Office however well or badly it expressed them.
As it happens, this extremely good document by the ICO sets out the themes and implications of the GDPR with as much clarity as the circumstances permit.
If you detect a hint of doubt there, you are right. The ICO faces the Brexit issue head-on in its introduction.
As a member state of the EU, the UK would be required to comply with the GDPR to the letter – it is a regulation, not a directive. If the UK wishes to keep its place of importance in the global digital economy after an exit from the EU, then it must satisfy the EU that it has acceptable standards for data protection, including new GDPR features like breach notification and data portability. In practice, that means the UK must enact legislation more or less equivalent to the GDPR and satisfy the EU both that it has done so and that it will enforce compliance with it.
The ICO paper says that the ICO “will be speaking to government to explain our view that reform of UK data protection law remains necessary”. That is fine and proper. The issue will be finding someone within government both willing to take an interest and competent to deliver.
There are three possible outcomes as things stand: we leave the EU promptly and in good order, with deals struck with alternative trading partners and a beneficial relationship with the EU – what might be called the “pie-in-the-sky” outcome; or we defer doing so effectively for ever, stuck permanently in a state of economic uncertainty; or we faff about in an unfocused way, short of resources and short of commitment, until we eventually crawl away, hoping to find some equivalent place in the world.
As things stand, the latter looks the most likely outcome. The three ministers appointed to deal with negotiating our exit from the EU and our new trading relationships with others are squabbling already about who controls such limited resources as exist. Some of their pronouncements betray an equal mix of futile optimism and unforgivable ignorance, along with a bucketful of the deliberate dishonesty which got us into this mess in the first place.
As well as competition for skilled people, there will be competition for scarce Parliamentary time, to say nothing of the draughtsmen responsible for the preparation of legislation. The whole thing is a shambles.
What should businesses do about the GDPR, whether UK-based businesses facing outwards or foreign organisations hoping to do business with us? The most practical answer might be “move to Dublin” which, as the last English-speaking country left in the EU, is gearing up to capitalise on the UK’s stupidity.
Whether or not that it is possible, organisations need to be ready to comply with the GDPR whatever legislation the UK eventually enacts. There are good positive business reasons for doing this, quite apart from potential liabilities in the future. The ICO’s document is a very good and authoritative starting point for those who want to know what they should do.