Writing this on the afternoon of 13th December the Conservative party took a large majority in the General Election under a banner of "Get Brexit done". Without being able to predict the future it is probably safe to say that the lengthy Brexit process is likely to get a significant push now with talk of legislation being bought in a matter of days.
We are not here to talk about politics but reflect on what this could mean for our clients at Col8, in particular the ones that are heavily involved in the security industry using video as a form of evidence and protection. As we have discussed at length under the EU's GDPR legislation people are able to now request their personal data, for free within 31 days (some exclusions do exist) and included in this is video data.
This is the question we have heard many times recently and we want to cover as much of that as we can during this period of uncertainty.
Key questions to look at are:
- Who is actually covered by GDPR?
- Will the UK take GDPR in to its own laws after Brexit?
- GDPR will still apply across the EU so will it apply in the UK anyway?
A good place to start is who is actually covered by GDPR, simple, any EU Citizen isn't it?
Well actually if you read the 99 articles in GDPR it doesn't use that terminology, it uses "natural persons" and states "whatever their nationality or place of residence".
This means GDPR covers anyone whether they are born in the EU, live in the EU or citizen of the EU. So in theory a US citizen over in the UK being captured in CCTV or Body Worn Video can use GDPR to obtain this footage because the EU's jurisdiction extends to that country.
The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data.
The current position of the UK government is that GDPR will be incorporated in to UK law as part of Brexit. This has been the position throughout the process and we feel that is very unlikely to change over the coming years and months. For the rest of this article we will call them the UK and EU versions of GDPR.
A question is though, will the newly created version of GDPR within the UK law actually be the same thing, will it be called something else, will companies need to comply to both GDPR-EU and GDPR-UK, will they update together, will the Information Commissioners Office (ICO) have power over EU companies in the UK and vice versa.
To those questions I am afraid only time will tell, but it is pretty safe to say that what need to do for GDPR now will be what you will need to do for many years to come.
There will be no immediate change to the UK’s data protection standards. GDPR will be brought into UK law and the Information Commissioner will remain the UK’s independent supervisory authority on data protection.
This is a more interesting question, as we know whatever happens within the UK the EU will still have GDPR and it will be enforced as it is by their individual country Data Protection Authorities - in the UK that is the ICO.
As we explored in the earlier section about who is covered, it is not solely EU Citizens but it is more generic. Let's consider a cut and dry case first:
A UK company that operates in the UK and the EU: Because you operate in the EU and hold data from people in the EU you will have to comply to GDPR and also whatever the UK version becomes. This is true of companies in the US or any other part of the work that operate in the EU.
A more contentious case:
A UK company capturing video of EU citizens in the UK: This case is applicable to the large number of 7,500 registered private security companies in the UK. So after Brexit, if GDPR is bought in to UK law verbatim then yes you will need to provide the video / personal data under the UK version of GDPR because it will cover those people as it does now.
If the UK version of GDPR only has the power to extend to UK border and the EU version to the EU boarder then will that person be able to use either GDPR to apply for data? That is a case we will need to see clarified.
If your organisation operates in the EEA, you will need to comply with both UK and EU data protection regulations after Brexit. You may also need to appoint a representative in the EEA.
The conclusion of this piece is pretty straight forward for UK based companies capturing video footage of people in the UK.
From our research, GDPR in one form or another is going to still apply post Brexit so you should comply with the current legislation to prepare yourself going forward - simple as that.