GDPR: Does Brexit change anything?
The recent UK referendum vote to leave the EU (Brexit) doesn’t change the need for Financial Services institutions to become GDPR (General Data Protection Regulation) compliant by May 2018.
Doesn’t ‘Brexit’ change all this for UK Financial Services institutions?
In the short term the answer is NO!
UK Financial Services institutions are still going to need to plan and develop strategies to support the requirements of GDPR. However, there are a number of variables surrounding the timing and implications of the Brexit vote and its influence on GDPR compliance. Let’s look at a few.
At time of writing, here are some facts about Brexit that are relevant for GDPR:
- GDPR comes in to force in May 2018 regardless of whether the UK is in the EU or not
- The UK hasn’t yet triggered Article 50 to formally commence the exit process and the formal start of negotiations over terms
- The current UK Prime Minister has stated that the intention is to understand what the Brexit realities are and that it is likely that Article 50 will get triggered in either late 2016 or early 2017
- All organisations that hold data on EU citizens, regardless of location, will need to be GDPR compliant
- Regardless of what happens on Brexit timing, GDPR will apply to any UK organisation that holds EU citizen data
- It is unclear how long negotiations will really take and when the point is reached where Brexit is deemed to have been completed
So the 2 big questions on Brexit are:
- When will Brexit formally start and complete?
- Under what terms will the UK trade with the EU after the exit?
The following observations are based upon options around Brexit and GDPR timing, as well as some assumptions about what the relationship will be, for the UK, with the EU.
Given the often multi-national nature of the Financial Services industry, the terms of the relationship will be critical to future planning. A key point is that the regulation is based upon data privacy for EU citizens. Citizens are Customers but are also Employees – the regulation doesn’t just apply to Customer data.
What happens whilst the UK is negotiating to leave the EU?
Without the formal triggering of Article 50 there is no certainty about the start of the process. Although there is a time limit of 2 years to the exit process, many commentators believe negotiating the terms could take significantly longer. Therefore:
- The UK will still be subject to GDPR for all EU citizen data held whilst the UK is still a full member of the EU. The length of time the UK will still remain a full member is unclear but is considered to be at least 29 months (assuming Article 50 gets triggered in January 2017)
- GDPR comes in to force in May 2018
- GDPR compliance will be required in approximately 22 months
- Once Article 50 gets triggered, it will take at least (in theory) 24 months for the exit to complete
- We already have a 2-month overlap when UK businesses will need to be GDPR compliant and every day there is a delay to the triggering of Article 50, the size of the overlap increases
- Organisations needs to understand the implications for their businesses and get building the right capabilities to be able to respond within the timeframes
Based upon the above diagram, the biggest issue will be how long the Brexit and GDPR overlap will be. The longer it takes to trigger Article 50, together with the length of time to negotiate an exit, will both a major factor in the size of the overlap.
What happens when the UK leaves the EU?
At some point the UK will formally leave the EU and the assumption will be that GDPR compliance requirements will change.
The main change likely at that point will be that any data held about a UK citizen will no longer be subject to GDPR but that any data held on an EU citizen still will be.
The consequence of this is that Financial Services institutions are still going to need to be able to distinguish who is an EU citizen and who is not, then apply the appropriate privacy Policies to that data. Given the size of the financial penalties for a breach, Financial Services institutions need to be continuing to develop their strategies and capabilities to support GDPR compliance regardless.
And in the medium to long term?
One likely consequence of Brexit, is that there is going to need to be some form of UK Data Privacy legislation to protect UK citizens both in the UK and abroad. The UK will need a robust Data Privacy framework to protect its own citizens and also to trade with the EU. It is therefore likely that there will be some form of GDPR-like regulation (UK GDPR) put in place by the UK government. What form this will take, nobody yet knows. All we can assume is that it will be similar to GDPR in some aspects, although which ones is currently anyone’s guess.
So at this stage, Financial Services institutions are going to have to cope with GDPR (for EU citizens), UK GDPR (for UK citizens) plus any other data privacy regulations required. All this on top of any requirements from their financial regulators (such as BCBS239 or SOLVENCY II).
So what do we do now?
Preparations need to be gathering pace in Financial Services institutions for ensuring they will be GDPR compliant by May 2018.
Remember – GDPR is just another Data Management problem, albeit right now it has some less usual actors involved including Legal departments. The challenges of managing data are well understood by the Financial Services industry and so how we respond will be as we always do – with careful consideration and with a proper plan. The Brexit decision doesn’t change much in the short term although data privacy complexity may increase in the long term.
So what now? I get asked 2 common questions on GDPR:
- Where do we start?
- What capabilities do we need to ensure compliance?
To answer questions 2, I point Financial Services institutions towards another webinar we ran recently to address this question
Please feel free to download and listen to these webinars. They’re packed with information to help you get started and ideas on capabilities you’ll need to have in place to ensure compliance within the time.