The UK has woken this morning to an uncertain future with a clear mandate to exit the European Union over the next few years. This uncertainty extends inevitably to data protection laws which are underpinned by European legislation – currently the EU Directive 95/46/EC and, with effect from May 2018, the General Data Protection Regulation (“GDPR”).
In the immediate term those laws remain unchanged with the Data Protection Act 1998 in force until the GDPR takes effect. Obviously what happens to GDPR itself will be a key question for many as we undergo the managed exit process. That has yet to start and there will be months of uncertainty as political and negotiating positions evolve.
What seems clear though is that the UK is and remains committed to data protection compliance and welcomes the commercial benefits that a harmonisation of data protection, cyber risk and ecommerce laws has brought across Member States in engendering an integrated digital market. Negotiators will be keen to preserve that as part of continued access to the free trade area. and with it the “passporting” of data that compliance to the GDPR standards brings. We will continue to monitor closely how the ICO and UK Government work with European counterparts over the coming months to provide a future roadmap against which companies can plan ahead. A planning cycle that is essential given the significance of the potential changes that compliance to GDPR (or any equivalent UK specific privacy legislation) requires.
Q: I represent a data controller in the UK and want to know if I should still continue with GDPR planning and preparation?
A: If you process data about individuals in the context of selling goods or services to citizens in other EU countries then you will need to comply with the GDPR, irrespective as to whether or not you the UK retains the GDPR post-Brexit. If your activities are limited to the UK, then the position (after the initial exit period) is much less clear. The UK Government has indicated it will implement an equivalent or alternative legal mechanisms. Our expectation is that any such legislation will largely follow the GDPR, given the support previously provided to the GDPR by the ICO and UK Government as an effective privacy standard, together with the fact that the GDPR provides a clear baseline against which UK business can seek continued access to the EU digital market.
Q: How can I keep up to date with the next steps?
A: We will post timely updates on this blog along with thought leadership and other updates. You can also read our summaries of the GDPR requirements at our data privacy microsite – www.dlapiper.com/dataprotection