Post number one talked about the new General Data Protection Regulation (GDPR). Post number two touched on the looming issue of Brexit. Where to go with post number three - data protection post Brexit of course!
Working in an international business that wants to expand throughout Europe, a single directly effective data protection regime (even one that directly regulates data processors) across the whole of the EU is appealing.
If the UK leaves the EU, the GDPR won't automatically bite here and the government will need to decide what to do - follow the GDPR regardless or forge another path?
Whilst I do not envisage a post-Brexit UK ditching the EU model altogether and seeking to rely on a US style 'privacy shield' or a Canadian style 'adequacy decision,' it could adopt a half way approach in which the UK implements enough elements of the GDPR to be approved country for data transfers but leaves others.
For businesses with a presence or desire to expand throughout Europe the certainty of a single data protection regime is within touching distance. For the UK not to be part of that feels like a missed opportunity.
All views my own. This post does not give legal advice.
However, following Brexit, it is perhaps more likely that the UK might refuse to align its data protection laws to the level of the GDPR, given the UK’s (and Information Commissioner's Office’s) persistent pushback on large tracts of the draft GDPR throughout the process of arriving at a “compromise text” in December 2015. Repeatedly, the UK’s stance has been that the proposed GDPR measures were either overly process-driven or unnecessarily protective of the individual.