The GDPR will apply to the UK when it is effective on May 25, 2018, but the government will need to adopt domestic data privacy legislation upon the UK’s pending exit from the EU.
The United Kingdom’s data protection laws are derived from European Union legislation such as the Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications Regulations, which implement European Directives. The EU’s new General Data Protection Regulation (GDPR), which will replace the DPA, will be in force on May 25, 2018. The GDPR will be effective in the UK immediately on this date, without any further UK laws being required. The UK government will need to enact domestic data privacy legislation to replace the GDPR when the UK exits the EU. The UK’s data protection authority, the Information Commissioner’s Office, has already advised the government that UK data protection standards will need to be equivalent to those in the GDPR if the UK wishes to trade with the European single market post-Brexit.
Territorial Scope of the GDPR
The GDPR has extraterritorial effect, in contrast to the current data protection directive. The GDPR applies to
- processing activities by data controllers and data processors established in the EU, whether or not the processing takes place in the EU;
- the processing of personal data of data subjects who are in the EU by a data controller or data processor not established in the EU where the processing activities relate to offering goods or services to data subjects in the EU; and
- the processing of personal data of data subjects who are in the EU by a data controller or data processor not established in the EU where the processing activities relate to monitoring the data subjects’ behavior in the EU.
The extraterritorial scope of the GDPR represents a significant expansion of EU data protection obligations to cover all processing activities relating to EU-based data subjects.
Most UK businesses will almost certainly need to transfer personal data to Europe and also to other countries outside the EU such as the United States. Currently, while the UK remains part of the EU, there are restrictions against transferring personal data outside the EU without the consent of the individual other than to certain “adequate” countries such as Canada or Switzerland, or unless the business has in place a legally permissible mechanism, such as model clauses or binding corporate rules.
The GDPR and the UK Post-Brexit
When the UK exits from the EU—following up to two years of negotiations after the formal trigger of the exit procedure, which is now set to take place on March 29, 2017—the GDPR will continue to apply to a UK organization only to the extent that it falls within the extraterritorial scope summarized above. For purely UK processing activities relating to UK individuals, the GDPR will no longer apply, although it is highly likely that the UK will have a replacement data protection law at that stage for domestic processing activities. Therefore, the government will most likely need to pass UK data privacy legislation in place of the GDPR for UK data processing and, perhaps, processing of personal data of UK citizens by non–UK-based organizations. The scope and stringency of this new legislation will be critical to whether the UK is still deemed to have “adequate” data privacy standards when it leaves the EU. This is, of course, relevant to whether data transfers to the UK from the remaining EU member states are restricted or whether they are permissible without further obligations imposed by those EU-based data exporters.
Processing of Personal Data Under the GDPR
Where the GDPR applies to the processing of personal data, a UK company should conduct an initial assessment as to whether it (or any of its affiliates) is acting as a data controller or a data processor in these processing activities. Different obligations will apply depending on the UK company’s role.
The data controller is ultimately responsible for compliance with the data protection principles, which state that personal data must be
- processed lawfully, fairly, and in a transparent manner in relation to individuals;
- collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes—further processing for archiving purposes in the public interest or for scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, up to date—every reasonable step must be taken to ensure that personal data that is inaccurate with regard to the purposes for which it is processed is erased or rectified without delay;
- kept in a form that permits identification of data subjects for no longer than necessary for the purposes for which the personal data is processed; and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage, using appropriate technical or organizational measures.
Personal data is lawfully processed if the data subject has consented to the processing or a permitted derogation applies such as legal or contractual necessity. Further, there are strict conditions imposed on whether consent is validly obtained by the data controller.
The data controller must provide a privacy notice to data subjects regarding the processing of their personal data. The privacy notice must be provided at the time of collection of the personal data or, if it was collected via a third party, within a reasonable period of being collected. The privacy notice must be concise, transparent, intelligible, and easily accessible; written in clear and plain language; and provided free of charge. Ensuring that their privacy notices comply with the GDPR will likely be a complex process for many organizations.
There are also direct obligations on data processors under the GDPR (unlike the current DPA) regarding
- the security of processing operations,
- the appointment of a Data Protection Officer,
- the engagement of subprocessors, and
- the notification of any breach of data protection obligations (including data security incidents) to the data controller.
The DPA does not have a mandatory data breach reporting obligation. The GDPR, however, does include a mandatory obligation to notify, without undue delay, the data protection authority within 72 hours of an organization’s becoming aware of a breach and, in certain circumstances, the individuals affected by the breach. The government will therefore need to decide if it will include a data breach notification obligation in the new UK data privacy legislation, either similar to the stringent GDPR requirement or as an alternate obligation, perhaps one with a longer notification period or that is triggered for significant data breaches only, which may be more pragmatic and more suited to the UK’s approach of business-friendly legal requirements.
Recommended Steps to Comply with the GDPR
Organizations can consider taking steps such as the following to prepare for the GDPR:
- Conduct an assessment of what personal data is processed or otherwise stored or held by the organization and/or its affiliates, where it is held, the categories of data subjects (e.g., employees, contractors, contact points at commercial organizations, customers), the nature of the personal data (including if it is sensitive personal data), for how long is it being retained, whether it is current or historical, how it was obtained (so far as possible), how it is used and with whom it is shared, and the locations of the recipients of the personal data (i.e., identify the data flows).
- Review the consents (or other applicable lawful processing derogations) obtained for the processing of personal data and any privacy notices, policies, or other information provided to data subjects for this processing, and update the notices or policies as necessary under the GDPR.
- Identify any international data flows and any applicable data transfer agreements (including model clauses approved by the European Commission or pursuant to the EU-US Privacy Shield) and ensure that all international data flows are conducted on a lawful basis.
- Review and update as necessary any procedures for responding to data subjects who are accessing personal data or exercising any other rights such as rectification or blocking of personal data.
- Review data security processes, and review and update any data security incident response plan or prepare a new plan.
- Consider whether the organization (or one of its EU affiliates) needs to appoint a Data Protection Officer, which is required where there is regular and/or systematic monitoring of individuals or large-scale processing of sensitive personal data or criminal conviction data.
- Review and, as necessary, amend processing provisions with data processors.
- Conduct a privacy impact assessment (ideally on a legally privileged basis) to determine any risk areas for the group including in relation to data security.
Although the UK was one of the dissenting voices in negotiations about the GDPR and was particularly vocal about its onerous impact on UK businesses, it seems unlikely that the UK will now reduce the extent of data protection obligations on UK businesses after it exits from the EU. To do so would necessarily reduce the current level of data privacy protections afforded to individuals.
The UK government will need to decide if it will retain the same restrictions for cross-border transfers or adopt an alternative solution. The EU-US Privacy Shield will no longer apply to the UK post-Brexit, nor will the protections afforded to EU citizens under the Umbrella Agreement or the Judicial Redress Act to enforce privacy breaches in US courts. The UK will need to decide if it will adopt a similar model to the Privacy Shield for data transfers from the UK to the United States if the current restriction on such data transfers is retained.
Additionally, the UK is likely to apply to the European Commission for a decision of “adequacy” allowing European countries to transfer personal data to the UK without restrictions. Obtaining an “adequacy” decision of course depends on whether the government has passed laws that are materially similar to the GDPR.