It has been a hectic fortnight for UK politics, and in the past few days there has also been a flurry of activity on the data protection front. The Information Commissioner’s Office (“ICO”), the UK’s data protection and information rights regulator, has published its promised overview of the General Data Protection Regulation’ (“GDPR”), whilst the UK’s data protection minister, Baroness Neville-Rolfe, has given a speech outlining the Government’s views on the future of data protection post-Brexit, and of data transfers in the light of the proposed EU-US Privacy Shield.
As we explained in a previous post, the ICO has promised a phased approach to publishing guidance relating to the GDPR, the pan-EU data protection law, in the run-up to its coming into force in May 2018. The first fruit of this labour was the ‘12 steps to take now’ document. The second, the significantly more detailed ‘Overview of the General Data Protection Regulation‘, was published yesterday.
In the introduction to its new guidance, the ICO tackles the issue of Brexit, and the UK’s future departure from the EU, head on. In essence, it considers that it is still important to provide GDPR related guidance to UK based organisations for a number of reasons:
- many UK businesses operate internationally, and will have overseas operations which will still be in the EU post-Brexit;
- the GDPR contains several new features (e.g. breach notification and data portability) which all information rights professionals need to be familiar with;
- international consistency around data protection laws is crucial, and the UK will need to adopt similar (or possibly the same) standards as the rest of the EU to be deemed capable of offering an adequate level of protection and to free up cross-border data flows (see today’s detailed post from my colleagues Andrew and JP in which this issue is considered in detail).
The guidance itself, written in the ICO’s familiarly pragmatic and clear style, is a good high level introduction to the key themes of the GDPR, and in particular the new data subject rights.
Meanwhile, speaking at a Privacy Laws & Business conference, Baroness Neville-Rolfe, Minister for Data Protection, echoed some of the comments made in the ICO’s introduction to its new guidance. She emphasised that one of the few certainties of these uncertain times is that, if UK organisations wish to handle EU citizens’ data, they will need to be assessed as providing an adequate level of data protection against the standard of the GDPR. Baroness Neville-Rolfe also touched on the issue of timing, and the likelihood (although not certainty) that the UK’s departure from the EU will come at a point in time after the entry into force of the GDPR.
The Minister also covered the issue of EU-US data transfers, and the negotiations to agree a renewed ‘Safe Harbor’ style agreement be means of the proposed EU-US Privacy Shield. The Minister confirmed reports that the Article 31 Committee (comprised of representatives of the Member States who cooperate in taking decisions on matters of data protection law) is currently meeting to iron out concerns expressed by the EU Parliament, the EU Data Protection Supervisor and the Article 29 Working Party about the draft of Privacy Shield which was published in February. Early indications are that agreement may very recently have been reached on a revised text – please watch this space for further details.
Finally, Baroness Neville-Rolfe also made a number of comments on another issue which is high up many corporate agendas – cyber security and data breaches. She discussed the Government’s investment in a National Cyber Security Centre, which will be a single point of contact for industry to get advice and support on cyber security. The Minister also gave a strong and clear message that businesses must do more to ensure their staff have an understanding of cyber threats, and that they have procedures and systems in place to detect and respond to threats which are becoming more prevalent with every passing day.