The Secretary of State, Karen Bradley MP, has confirmed that the UK will opt into the GDPR when it comes into force in May 2018. The GDPR has been designed to replace the current EU data protection regime which is based on the Data Protection Directive (95/46/EC) and is contained in the Data Protection Act 1998. The principle rationale behind the GDPR is to bring the law up-to-date and to make it more suitable to deal with the growth of the digital economy and the different ways in which large amounts of personal data – much of it sensitive – is increasingly collected and exchanged.
Brexit or no Brexit, the GDPR is a reality for the UK. It will come in to force in May 2018 and will bring with it a number of changes to the data protection landscape. Many of these require major changes in the way that businesses collect and use data and it is therefore very important indeed that businesses of all sizes plan for the GDPR so that they are ready for its implementation in May 2018.
The GDPR introduces a number of new concepts and approaches which businesses will need to be prepared for ahead of the implementation of the GDPR in May 2018. Some of the main differences can be summarised as follows:
- Harmonisation – as a regulation it has direct affect across all EU member states. One of the disadvantages with the previous regime was that it was based on a directive and therefore was implemented in slightly different ways across the EU. While there is some flexibility for Member States in the GDPR, it will bring in a greater degree of harmonisation.
- Liability for non-EU businesses – businesses who offer goods or services to data subjects in the EU or who monitor data subjects behaviour within the EU will be subject to the GDPR regardless of where they are established.
- Enforcement powers – the enforcement powers of National Data Protection Authorities (NDPAs) has been increased significantly. The UK’s ICO currently can levy a maximum fine of £500,000. Under the new regime, fines of up to 4% of annual worldwide turnover may be made.
- Consent – a key feature of both the new and the old data protection regimes is consent. The GDPR has however tightened up what can be relied on as consent and moves very much towards explicit consent. Under the GDPR businesses will have to demonstrate that consent has been obtained which is likely to make it much more difficult to rely on implied consent.
- Privacy by design and by default – businesses will be obliged to take data protection requirements into account in relation to any new technology, product or service where the processing of personal data is involved and will be obliged to keep those measures up-to-date. There will also be an obligation on businesses to conduct data protection impact assessments before carrying on processing that uses new technologies.
- Registration – the requirement to register with the NDPA has been abolished.
- Notifying breaches – there is now a mandatory requirement on businesses to notify the NDPA of a data breach in most cases and where the breach is likely to result in a high risk to individuals, businesses are also required to inform data subjects of the breach.
- Obligations on data processors – under the current regime the onus of complying with the legislation fell on the data controller. The GDPR imposes a number of new obligations directly on data processors. These obligations also carry with them significant sanctions for breach.
- The right to be forgotten – this is expressly set out in the GDPR and the current rights to be forgotten, which were confirmed in the recent decision of the Court of Justice of the European Union (CJEU) in the Google Spain case have been expanded.
- Data subject access requests – the time to respond to these has been shortened and the amount of information that must be provided has been increased.
This announcement by the Secretary of State does not come as a surprise given that on anyone’s timescales the UK will still be part of the EU in May 2018. It is also consistent with the line that the Information Commissioner’s Office has taken since the Brexit vote in June. It is however a welcome clarification of the data protection landscape at least for the next couple of years.
Of course, if and when the UK does leave the EU it would be open to the UK Government to amend and deviate from the data protection regime adopted under the GDPR and indeed some commentators believe that the GDPR achieves its aims of providing high levels of protection to members of the public at the expense of business.
Any changes to the UK’s data protection regime post-Brexit are however likely to be problematic. The GDPR impose liability on businesses outside of the EU, meaning that non-EU businesses who offer goods or services to data subjects in the EU will be subject to the GDPR in the same way as if they were based in the EU. Additionally, if the UK finds itself outside of the EEA following any Brexit, then flows of data to and from EEA counties will be difficult unless there is a finding of adequacy in relation to the UK’s data protection procedures. Logically, one of the ways to ensure such a finding of adequacy would be to have the same data protection law as the rest of the EEA.
Any material deviation from the GDPR may well put the UK in the same position as countries such as the USA where businesses wishing to transfer data from the EEA find themselves having to either enter into Binding Corporate Rules (BCRs), enter into model contract clauses or, as in the case of the USA, negotiate a Privacy Shield regime equivalent which was recently put in place for data flows between the EEA and the USA following an agreement between the EU and the USA.