A close observer of the GDPR will have noticed that, in several places, individual EU Member States can implement derogations from the GDPR requirements. Of course, as a regulation under EU law there is less scope for local flexibility under the GDPR than under the current EU Data Protection Directive 95/46. Yet the GDPR does, in a number of key areas, allow an EU Member State to set down local laws that could allow a more locally relevant flavour to a particular aspect of compliance.
While the prospect of different local flavours may be unwelcome to global businesses seeking to maintain a harmonised standard of compliance across the EU (one of the policy aims of the GDPR of course), clearly the EU policy makers and legislators considered that Member States must be given room to implement their own rules in certain areas. For instance, Member States may introduce further rules around the use of genetic data, biometric data and health data.
Now the UK Government (Brexit notwithstanding) has launched a call for views on the GDPR derogations. In its publication the UK Government indicates that it pressed hard throughout the GDPR negotiations to ensure that the GDPR does not place unnecessary burdens on business. This then is the opportunity it is providing to business to give their views on the scope and shape of the derogations permitted in the GDPR.
This opportunity will be of particular interest to those organisations that deal regularly with sensitive personal data particularly in the context of healthcare, life sciences and scientific research. Where the GDPR (or existing local law) may be insufficiently clear concerning whether a particular processing scenario is permitted, here is an opportunity for businesses to place their arguments before the UK Government and seek to influence future compliance.
The full list of the derogations which the UK Government is seeking input on is set out in the publication. Significantly, there is an additional question at the end of the publication seeking input on the steps the UK Government should take to minimise the cost or burden to business of the GDPR.
The closing date for submitting views is Wednesday, 10 May 2017.