The EU’s General Data Protection Regulation (GDPR) turned one year old on May 25, 2019. What’s been the experience? Kim Walker, Co-Chair of the Privacy Team of Shakespeare Martineau, a premier UK law firm, provides insight into how this comprehensive law of personal data privacy has unfolded in the United Kingdom.
The Queen gave Royal Assent to the UK Data Protection Act 2018 two days before GDPR became effective in the UK and the rest of the EU. This made GDPR the enacted law of the UK and ensured UK law will be consistent with GDPR after Brexit. Its impact has been favorable to business and people. Businesses that took GDPR seriously have found it positive for reputational purposes, showing them to be companies that embrace privacy rights of consumers and others. Individuals have been positive as well. The UK’s Information Commissioner’s Office (ICO) took the approach of working with the business community to implement the GDPR rather than immediately using enforcement as a club to threaten businesses into compliance. Fines that have been imposed in 2018-2019 have primarily arisen under prior laws, where the monetary limits for penalties were much lower than allowed under GDPR. For example, a June 2019 fine of £90,000 involved nuisance marketing phone calls without prior consent. The ICO has indicated that year two will focus on accountability, so we can expect compliance audits and enforcement investigations of non-compliant businesses, as well as the first significant fines imposed under the GDPR as investigations of GDPR non-compliance over the last year are completed and any sanctions announced.
The UK approach will be familiar to anyone knowledgeable about GDPR, as UK law has no major derogations that are allowed under GDPR. Certain criminal and procedural matters are left to local practice, but none that would force major differences in business policies and practices different from what is required in other EU countries.
If the UK leaves the EU (will November 1 find it outside the EU?), the 2018 Act will simply remain in place unless changed by Parliament in the future. Transfers of EU data to the UK will require rethinking if a “hard” Brexit occurs, as laws that govern outward data transfers from the EU would then include transfers to the UK once it is no longer an EU member.
Click here to listen the audio.