The UK government has confirmed that the UK will implement the General Data Protection Regulation (GDPR).
The GDPR is the legislation by which the European Commission intends to strengthen and unify data protection for individuals within the European Union (EU). It also addresses export of personal data outside the EU. The GDPR is set to come into force in May 2018 and will replace the current EU Data Protection Directive and most national data protection laws.
During her recent question and answer session before the UK Parliament Select Committee for Culture, Media and Sport, Karen Bradley MP (the UK government minister for Culture, Media and Sport) confirmed that the UK will “opt in” to the GDPR when it comes into force in May 2018.
The minister explained that the UK “will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public”.
The UK Information Commissioner's Office (UK ICO) has welcomed this news, citing the importance of public confidence in the protection of personal data to the growth of the digital economy.
While the minister stated the UK would “opt in” to the legislation, in actuality, the UK has no choice but to recognize the GDPR, which is directly applicable in all EU member states, whilst it remains part of the EU. The UK is likely to be an EU member state for some months post-May 2018, given the recent UK High Court ruling on the need for parliamentary approval to trigger the Article 50 notification. However, the minister's statement is a useful and timely confirmation of the UK government's approach over the shorter term.
UK Approach to Data Protection Post-Brexit Remains Unclear
Whilst the minister's statement confirms how the UK will legislate for data protection whilst the UK remains part of the EU, her comments hint that its longer term approach to such matters post-Brexit remains unclear.
For its part, the UK ICO has acknowledged that there “may still be questions about how the GDPR would work on the UK leaving the EU”. However, it added that this should not distract from the important task of ensuring compliance with the GDPR when it comes into force.
Lastly, the UK ICO reiterated its commitment to assisting businesses and public bodies to prepare to meet the requirements of the GDPR ahead of the legislation coming “online” in May 2018. To this end, it will shortly publish a timeline setting out the areas of GDPR guidance it will be prioritising over the next six months.
Further information on issues related to Brexit can be found here.