Following this summer’s vote to leave the European Union, the wider implications of Britain’s decision to break from the EU continue to be felt as governments, businesses, and private citizens look to forthcoming negotiations. Unfortunately, it appears that definitive answers to the questions raised by the vote may not be forthcoming for some time following Theresa May’s October 2 announcement that she plans to trigger Article 50, setting in motion negotiations regarding Britain’s departure, by March 2017. One area up for consideration will likely be the issue of data privacy and whether UK will create its own privacy rules or follow the lead of the EU in implementing the General Data Privacy Regulation (GDPR). Generally speaking, this law, slated to take effect in May of 2018, will limit the amount of and type of data on EU citizens which may be gathered and shared. Interestingly however, May’s announcement comes just days after the newly appointed head of the Information Commissioner’s Office (ICO), Elizabeth Denham, stated that Britain should follow the GDPR regime. During an interview with the BBC, Denham made her sentiments clear, stating “I don’t think Brexit should mean Brexit when it comes to standards of data protection…In order for British businesses to share information and provide services for EU consumers, the law has to be equivalent.”
Should the above sentiment hold, it would appear likely that international employers/businesses with operations in the UK may fall under the GDPR. From an employer’s perspective, this can be a mixed blessing. While GDPR policies represent a major shift in how data is kept and shared, along with hefty sanctions for violations, the pros of having a more unified set of rules to abide by may help ensure that businesses are not faced with multiple privacy standards when conducting operations in the EU and, possibly Britain. It bears mentioning however that the GDPR authorizes individual Member States to implement more specific rules with respect to the processing of HR-related personal data. This includes data collected for the purpose of recruitment, performance of the employment contract, diversity, health and safety, etc. These potential member state specific rules not only apply to employers processing employees’ personal data, but also to HR service providers (“data processors”) as well as non-EU affiliates of multinational corporations if all HR data is centrally stored and accessible to affiliates worldwide. It will therefore remain important to continue monitoring national law developments in the field of workplace privacy.
Despite the above, the GDPR represents the possibility of a far more streamlined approach than grappling with the disparate privacy laws of each individual member state. This desire to provide one standard for businesses appears to be at the heart of Denham’s desire to retain the GDPR. Denham relayed these sentiments later in the same interview with the BBC: “In a global economy, we need consistency of law and standards – the GDPR is a strong law, and once we are out of Europe we will still need to be deemed adequate or essentially equivalent. For those of you who are not lawyers out there, this means there would be a legal basis for data to flow between Europe and the UK. We’re talking about proper protection for consumers, about certainty for business, and about strong independent oversight of the law.”
While it remains to be seen whether the UK will abandon the GDPR during upcoming negotiations, it appears that Britain is keenly aware of the need to provide certainty, especially for businesses just now coming to terms with new privacy rules. It is therefore likely that the GDPR will be, in large part, implemented in the UK, most likely providing global employers with the opportunity to craft general privacy rules for employees throughout Europe.