The UK is committed to promoting itself as a global data protection gateway, with high standards of data protection law and practice, according to the UK Information Commissioner’s Office’s (ICO) newly released international strategy for effectively protecting the public’s personal information over the next four years.
The ICO strategy is pragmatic, and it recognizes not only the enduring need for strong privacy protections, but also the need for greater regulatory certainty. It provides other key insights into how the UK plans to approach the protection of personal data both before and after Brexit as well.
A Commitment to the GDPR
Based on UK Government commitments to the EU’s General Data Protection Regulation (GDPR), the ICO strategy justifiably presumes that the GDPR will apply in the UK both before and after Brexit to ensure there is continuity and certainty. The UK’s role going forward in the Article 29 Working Party and its successor, the European Data Protection Board (EDPB), will be determined as part of Brexit negotiations. However, the strategy makes clear that the UK will seek to maintain a strong working relationship with the EDPB regardless of the outcome of the negotiations, and will seek to strengthen appropriate bilateral relationships with individual EU data protection authorities.
Growing Relationships Globally
As data privacy issues become increasingly complex and global in nature, and with a growing number of countries developing their own frameworks to ensure data protection, the ICO will look to build relationships in the Asia Pacific region and in other regions beyond Europe. In addition, the UK will further develop its ties with other data protection authorities in Commonwealth countries via the Common Thread Network.
Rethinking ICO Structure, Resourcing, Engagement and Evaluation
The ICO will establish a new International Strategy and Intelligence Department, with international activity as its core focus. To bolster its new department, the ICO plans on adding resources to support its international team and is evaluating using staff exchanges, secondments and cross-office work to achieve this goal. In addition to forming a new international department, the Office will also host the 2017 Conference of Information Commissioners (focused on freedom of information), the 2017 European data protection case handling workshop, the Global Privacy Enforcement Network (GPEN) practitioner’s workshop and will bid to host the International Conference of Data Protection and Privacy Commissioners.
As the UK continues to prepare for Brexit, the ICO has made clear that the UK will seek to implement the GDPR in UK law, rather than creating yet another competing data protection regime, with its approach being recognized as a leading standard globally. Organizations concerned with how the UK will implement its own privacy regime post-Brexit should continue to focus on establishing and maintaining compliance with the GDPR and watch for bilateral privacy protection agreements as the UK seeks to become a data privacy portal that is interoperable with different data protection legal systems around the world.