After weeks of emails from companies talking about GDPR, and begging customers to stay on their marketing lists, the day has finally arrived.
From today, the new EU law comes into effect, and companies must abide by stricter rules when collecting and using users’ personal data.
GDPR shifts the burden of making sure companies abide with the legislation onto member states. But Britain won’t be a member state for much longer.
What will Brexit mean for GDPR?
All the noise about data compliance in the UK hasn’t been for nothing. After Britain leaves the bloc in 2019, it is true that it won’t be subject to GDPR in the way that member states are. However, for all extents and purposes, the same rules will still apply in Britain.
This is because of a new piece of UK legislation — the 2018 Data Protection Act, sometimes referred to as the Data Protection Bill — which has been making its way through Parliament over the past few months. This updates the law in the 1998 Data Protection Act. It received Royal Assent on 23 May, two days before GDPR officially begins.
Delighted to say we have Royal Assent to the Data Protection Act 2018.
— Matt Hancock (@MattHancock) May 23, 2018
The new Data Protection Bill seeks to replicate the conditions of GDPR within a British legal framework. It also aims to add to GDPR’s conditions in certain areas, and currently contains a provision requiring social media companies to delete users’ posts made before their 18th birthday.
Why will UK law follow GDPR?
The decision for the UK to abide by GDPR, while removing itself from the legal framework of the EU, is not so much a political issue as a practical one.
GDPR prohibits the transfer of personal data to a non-EU country if that country isn’t deemed to have “an adequate level of data protection”. Only by matching GDPR conditions can Britain ensure that data — and the money it brings for British companies — continues to flow between it and the EU.
GDPR rules also apply to any organisation, inside or outside the EU, that holds or uses any European personal data. This means that any company holding information on European customers has to obtain explicit and informed consent for that data. Users must also be provided with a way to revoke that data, or to see all the data that a company holds on them.
Not have GDPR-level data compliance means Britain would be shut out of a market with more than 500 million consumers. Alternatively, a company seeking out those consumers while not being offering adequate data protection would be at risks of fines from the EU of up to €20 million, or 4% of global revenue.
Elizabeth Denham is the UK’s Information Commissioner. Writing about GDPR and the 2018 Data Protection Act, she said:
The new Act updates data protection laws in the UK, and sits alongside the General Data Protection Regulation (GDPR)…The Act implements the EU Law Enforcement Directive, as well as extending domestic data protection laws to areas which are not covered by the GDPR.
The UK’s growing digital economy relies on consumer trust to make it work. The Act, along with the GDPR provides a modernised, comprehensive package to protect people’s personal data in order to build that trust.