As Theresa May puts the European Union on notice that the UK wants out, the focus now falls on trade deals and law repeals. With many business leaders still convinced that Brexit will save them from the rigours of GDPR - and even whispers that the ICO fears it will be among the European laws to get axed - here are three options for what will happen next.
1 - Nothing changes, the Regulation stays
Given the centrality of the digital economy to every developed economy, there is likely to be little appetite for anything that might disrupt it. Especially as the UK faces an uphill struggle maintaining existing trade flows, creating an obstacle to EU and US trade would make little sense. A trade deal that allows British companies access to the European market will be struck and, in all likelihood, it will see many of the existing rules retained.
It is also the case that there is hardly any domestic opposition to GDPR. Despite the low-level grumbling about its impact on business, legislators wlll probably not want to be seen denying consumers rights that most are likely to think they already have. There are no votes to be had in saying business can do whatever it likes with personal information.
2 - Hard Brexit, Regulation repealed
If the UK’s negotiators are unable to reach the kind kind of deal, the current view is that the UK would fall back on WTO trading rules. This is likely to lead to a wholesale repeal of many existing EU laws as part of a bonfire of the ties that have bound us to the Continent. Having reached the statute books last year, GDPR may never get enacted and enforced, but instead gets sent to the shredder.
But where would that leave data protection? Currently, the UK has a servicable piece of legislation in the form of the Data Protection Act which is almost uniformly adhered to. It is worth noting that the eight principles that underpin DPA are also present in the Regulation, just wrapped around with a much more stringent framework.
If the UK maintained DPA, but decided to adopt a more rigorous approach to enforcement, it would be hard for the EU to refuse the UK an all-important adequacy ruling. A fresh set of guidance by the ICO around transparency, permission, subject access requests and deletion would allow major data controllers to tweak existing practices and systems without the wholesale reconfiguration GDPR will need. (Although by the time domestic legislators decide to do this, it will probably be too late to pull back from those compliance programmes.)
3 - New world, new law
Once the earthquake of Brexit has passed, legislators will be able to return to their routine work of ensuring laws are fit for purpose. With DPA 20 years old and if GDPR gets repealed, developing a new suite of data protection and privacy laws would become an urgent goal.
The upside of this approach would be the ability to map the UK’s data protection regime against both the US and the EU. Currently, many US organisations view GDPR as a torpedo aimed at their digital fleets. Creating a new framework that is interoperable across European and America is feasible - there is plenty of reference material to draw on - and would be attractive to trading partners. It could also be used by government as an opportunity to write-in backdoor access to encrypted services, something it would view as highly desirable and would also put the UK on the right footing with its American intelligence partners. The downside is that it would be hard work and likely to take several years to finalise.