The announcement by the Secretary of State for Culture, Media and Sport follows a period of uncertainty as to whether or not the General Data Protection Regulation (GDPR) would apply when it comes into force in May 2018. The uncertainty arose largely a result of speculation as to the timing of the UK's exit from the European Union (EU) but it now looks likely that the UK will still be a member of the EU during 2018. The GDPR, which comes into force on 25 May 2018, will therefore be a reality for the UK.
Following the announcement by the Secretary of State, the Information Commissioner, Elizabeth Denham, released a blog in which she welcomed the announcement as "good news for the UK" and recognised that the GDPR provides data subjects with greater control over their personal data than the current legislative regime.
Impact for the UK
This formal confirmation that the UK will implement the GDPR should provide some additional clarity for businesses in the lead-up to Brexit.
As covered in our Brexit and Data Protection briefing, after the UK leaves the EU, the GDPR will cease to apply. However, the reality for UK businesses trading with the EU is that compliance with the GDPR will continue to be necessary due to the GDPR’s extraterritorial applicability.
If on Brexit the UK also leaves the EEA then it will have to demonstrate 'adequacy' which, in practice, will amount to demonstrating equivalency with the GDPR. A UK data protection framework with the GDPR as its template will likely be the most suitable route map to 'adequacy'.
This together with the fact that the UK, via the ICO, played a key role in the development and negotiation of the text of the GDPR means that any post-Brexit data protection regime in the UK is likely to look very similar to the GDPR.
It is worth noting that the Secretary of State has said that the government will "then look later at how best [the government] might be able to help British businesses with data protection" leaving the door open for some changes.
What does this mean for your business?
The GDPR comes into force in just over 18 months' time and, with any lingering uncertainty around the implementation of the GDPR now dispelled, businesses should start taking steps to prepare for the GDPR if they have not already done so.
The ICO has indicated that within the next month it will publish a revised timelines setting out the areas of guidance it will be prioritising over the coming six months. Businesses should take note of the ICO guidance timeline once published as the guidance should be helpful in assisting organisations to understand how the ICO intends to interpret some of the more ambiguous provisions of the GDPR within the UK. We will provide updates on guidance published by the ICO.
For further guidance please see our briefings on the GDPR or alternatively contact Andrew Dunlop for information.