What does this cover?

A milestone has been reached in the world of data protection law.  After 3 years of detailed discussions political agreement has been reached between the European Commission, Council and Parliament on the General Data Protection Regulation (the GDPR). The GDPR will replace the Data Protection Directive 95/46/EC and therefore the UK Data Protection Act 1998 (the DPA) and will be directly applicable in all Member States without the need for implementing legislation.  This is not the end of the legislative process as it still needs to be formally adopted by the Council and Parliament in 2016.  It will come into effect 2 years fully from its formal adoption likely to be in the first half of 2018.

Further detail about the key features of the GDPR is provided in section 2 of this alerter. It should not be forgotten that the European data protection reform package contained two pieces of legislation, the GDPR and the Data Protection Directive for police and judicial co-operation on criminal matters (the Directive). The Directive contains harmonised laws for police and judicial cooperation on criminal matters, intended to improve protection for individuals affected by crime and law enforcement such as victims and suspects, while enhancing cross-border police co-operation to better combat crime and terrorism.

DAC Beachcroft will be undertaking a series of sector specific workshops and publications over the coming months to help guide our clients through these changes.  We will make details available in this alert.

Meanwhile the ICO has commented in a blog that the ICO’s priority for 2016 will be making sure that we do all in our power to ease the introduction of the new rules – for data controllers and data subjects alike. Our approach to regulation begins with clear advice and guidance. We will focus on the new elements first, whilst remembering that there is much in the new regulation that will be familiar to us – the new principles are pretty much the same as the old ones".

The blog notes that the change is inevitable and to assist companies in navigating the regulatory minefield that could be the GDPR, the ICO has laid out its plan to publish progress updates through its blog, on its website and via Twitter.

To view the ICO blog, please click here.

What action could be taken to manage risks that may arise from this development?

Companies should continue, or prompty commence their GDPR implementation programmes. In particular they should review updates from the ICO that are aimed at helping business prepare for the changes.