Businesses should assume that new EU data regulations will come into force despite Brexit, says Blacks

Businesses in the UK should work on the premise that the EU’s General Data Protection Regulation (GDPR), which is due to come into force on 25 May 2018, will apply to the UK and will stay in force for some time after Brexit, according to a lawyer from Blacks Solicitors.

Phil Gorski, a lawyer specialising in IP at the firm, has said that the Brexit exit clock will formally start ticking once the UK gives notice of its intention to leave the EU under Article 50 of the Lisbon Treaty. However, as Article 50 provides a minimum two-year period for formal exit negotiations to take place, even if notice had been provided immediately, the GDPR would still come into force.

The GDPR is a modernisation of the current, slightly rusty, regime, put in place by the Data Protection Act 1998. It introduces new and stricter obligations and a system of increased fines to go with them.

“Businesses should work on the basis that the GDPR will come into force in May 2018 and that it will stay in force for some time afterwards,” said Gorski.

“There are a number of ways that businesses can protect their online data, the most basic of these being: making sure company’s anti-virus software is up to date and that all staff are correctly trained in online security and data protection.”

Whether the GDPR remains in the long term, however, depends on what alternative relationship with the EU is eventually put in place, according to Gorski.

“It is the uncertainty here that makes planning for the future difficult,” he added.

“It is difficult to predict what obligations either would impose on businesses. A system which provides an adequate level of protection could take a number of forms and it is almost impossible to know which parts of the GDPR might be retained.”