The General Data Protection Regulation has been published meaning that it will come into effect from 28 May 2018 in EU Member States. We now look at what this means for the UK in the light of Brexit.
The official text of the General Data Protection Regulation (GDPR) has been translated and published in the Official Journal of the European Union, meaning that it will come into effect and apply in all EU Member States from 28 May 2018. As we have commented before, the GDPR will replace the existing EU Data Protection Directive and, given its statutory form, will not need to be implemented into national laws. Rather, it will have direct effect in all EU Member States and will apply to all data controllers and data processors.
Given the referendum result of Brexit, the Information Commissioner's Office (ICO) has been keen to confirm that 'the Data Protection Act remains the law of the land' until it is repealed or amended but in the event that the UK is not part of Europe, given the referendum result, the 'upcoming EU reforms to data protection law would not apply to the UK'. However, the ICO has gone on to stress that if the UK wants to trade with the Single Market on equal terms it would need to prove 'adequacy' in respect of its data protection legislation. In other words, the UK data protection legislation would 'have to be equivalent to the EU's General Data Protection Regulation framework'. As such, it is very much the case that the ICO considers it necessary to push forward with proposed reforms of UK data protection legislation (as contained within the GDPR) in one way or another.
In light of this, organisations would be best placed to continue to plan for the implementation of the GDPR as if it was still due to come into effect in May 2018. To this end, the ICO's 12-step checklist and guidance on getting to grips with the key changes under the GDPR remain relevant and going forward the ICO will publish further guidelines, including an overview of the GDPR (or its equivalent), guidance on individuals' rights, privacy notices and the issue of consent.
Notwithstanding Brexit, we are set to see a changing landscape within the world of UK data protection legislation, including, amongst other things:
- increased fines in the event of breach
- mandatory notification of breaches without undue delay
- increased rights for data subjects
- stricter consent requirements
- the obligation to appoint a data protection office.
We also await further information regarding the UK's position within the EU's 'safe data' zone. Post-Brexit, the UK would clearly fall outside the EU and, in the absence of 'adequacy', the sending of personal data from EU countries to the UK would be more difficult, making business transactions similarly more difficult without administrative formalities being in place.