Current data protection legal landscape
The UK’s Prime Minister Theresa May recently announced that she will trigger Article 50 (the formal process to begin the UK’s exit from the European Union (EU)) by the end of March 2017. This effectively means that the UK will exit the EU two years after notification (unless all member states unanimously decide to extend this period).
The forthcoming EU reforms to data protection laws in the form of the General Data Protection Regulations (GDPR) are therefore likely to apply before the UK leaves the EU. The GDPR will come into effect in the EU on 25 May 2018, which is likely to be in the midst of the withdrawal process.
Elizabeth Denham, the UK’s new Information Commissioner, has made it clear that not only is the GDPR likely to apply before the UK leaves the EU but also that the data protection standards the GDPR requires will continue to guide the ICO even after Brexit. On 3 October 2016 she said: “I don’t think Brexit should mean Brexit when it comes to standards of data protection.”
With this in mind, organisations operating in the UK should ensure that they do not use Brexit as a reason to ignore the GDPR or shelve plans to get GDPR-ready. The GDPR will regulate those businesses that control and process personal data in the EU from 25 May 2018 and the UK will probably still be a member of the EU at this time. Even accounting for any changes in UK legislation post-Brexit, the clear message from the UK regulator is that the standards set by the GDPR will continue to be implemented in the UK. To some extent, maintaining these standards under local UK laws will be a necessity if the UK looks to guarantee ease of data flow with EU member states post-Brexit by seeking a determination from the EU that the UK’s data protection laws are “adequate” for these purposes.
To gear up to be GDPR-compliant, businesses will need to step up their data protection policies and practices. A key part of being ready for this new regime will be to ensure that privacy and data protection principles are “baked in” to an organisation’s approach to data handling. Steps to consider include:
- undertaking a Data Protection Impact Assessment to help identify and fix problems ahead of the GDPR coming into effect;
- reviewing the personal data held by your business and considering if there are further steps that can be taken to minimise risks associated with handling of this data (such as minimising the personal information held, pseudonymising data or increasing use of encryption or other security measures);
- appointing a data protection officer if appropriate (this will be mandatory for public authorities (except courts acting in their judicial capacity), organisations that undertake systematic monitoring of individuals and those which carry out large scale processing of certain special categories of data); and
- considering where consents from data subjects may be needed in your processes and identifying how these can be obtained and recorded.