May 25, 2018

GDPR in the UK — What Brexit will mean for the new regulation

By Rachel Dobbs

After weeks of emails from companies talking about GDPR, and begging customers to stay on their marketing lists, the day has finally arrived.

From today, the new EU law comes into effect, and companies must abide by stricter rules when collecting and using users’ personal data.

GDPR shifts the burden of making sure companies abide with the legislation onto member states. But Britain won’t be a member state for much longer.

What will Brexit mean for GDPR?

All the noise about data compliance in the UK hasn’t been for nothing. After Britain leaves the bloc in 2019, it is true that it won’t be subject to GDPR in the way that member states are. However, for all extents and purposes, the same rules will still apply in Britain.

This is because of a new piece of UK legislation — the 2018 Data Protection Act, sometimes referred to as the Data Protection Bill — which has been making its way through Parliament over the past few months. This updates the law in the 1998 Data Protection Act. It received Royal Assent on 23 May, two days before GDPR officially begins.

The new Data Protection Bill seeks to replicate the conditions of GDPR within a British legal framework. It also aims to add to GDPR’s conditions in certain areas, and currently contains a provision requiring social media companies to delete users’ posts made before their 18th birthday.

Why will UK law follow GDPR?

The decision for the UK to abide by GDPR, while removing itself from the legal framework of the EU, is not so much a political issue as a practical one.

GDPR prohibits the transfer of personal data to a non-EU country if that country isn’t deemed to have “an adequate level of data protection”. Only by matching GDPR conditions can Britain ensure that data — and the money it brings for British companies — continues to flow between it and the EU.

GDPR rules also apply to any organisation, inside or outside the EU, that holds or uses any European personal data. This means that any company holding information on European customers has to obtain explicit and informed consent for that data. Users must also be provided with a way to revoke that data, or to see all the data that a company holds on them.

Not have GDPR-level data compliance means Britain would be shut out of a market with more than 500 million consumers. Alternatively, a company seeking out those consumers while not being offering adequate data protection would be at risks of fines from the EU of up to €20 million, or 4% of global revenue.

Elizabeth Denham is the UK’s Information Commissioner. Writing about GDPR and the 2018 Data Protection Act, she said:

The new Act updates data protection laws in the UK, and sits alongside the General Data Protection Regulation (GDPR)…The Act implements the EU Law Enforcement Directive, as well as extending domestic data protection laws to areas which are not covered by the GDPR.

The UK’s growing digital economy relies on consumer trust to make it work. The Act, along with the GDPR provides a modernised, comprehensive package to protect people’s personal data in order to build that trust.

Verdict deals analysis methodology

This analysis considers only announced and completed cross border deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.

GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.

More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.

Topics in this article: ,