Is GDPR relevant for post-brexit Britain?

The new General Data Protection Regulation (GDPR) will come into force for all EU members from 28^th May 2018 so the clock is ticking away to become compliant. However, what does this mean for post-Brexit Britain? This blog looks at the implications:

Background

The official General Data Protection Regulation (GDPR) policy has been published in the Official Journal of the European Union, meaning that it will come into effect and apply in all EU Member States from May 2018. The GDPR will replace the existing EU Data Protection Directive and, given its statutory form, will not need to be implemented into national laws. Rather, it will have direct effect in all EU Member States and will apply to all data controllers and data processors.

Considerations post-Brexit

Given the referendum result of Brexit on June 23^rd this year, the Information Commissioner's Office (ICO) has confirmed that 'the Data Protection Act remains the law of the land' until it is repealed or amended but in the event that the UK is not part of Europe, the 'upcoming EU reforms to data protection law would not apply to the UK'. However, the ICO has gone on to say that if the UK wants to trade with the Single Market on equal terms it would need to prove 'adequacy' in respect of its data protection legislation. In other words, the UK data protection legislation would 'have to be equivalent to the EU's General Data Protection Regulation framework'. As such, it is very much the case that the ICO considers it necessary to push forward with proposed reforms of UK data protection legislation (as contained within the GDPR) in one way or another.

Implications

The good news is that many of the GDPR’s main principles are similar to the current Data Protection Act (DPA) therefore if you are currently compliant you don’t have to worry too much. However, we would advise you start to plan your approach now. Large, complex businesses could have major budgetary, IT, personnel, governance and communications implications.

To this end, the ICO's 12-step checklist and guidance on getting to grips with the key changes under the GDPR remain relevant and going forward the ICO will publish further guidelines, including an overview of the GDPR (or its equivalent), guidance on individuals' rights, privacy notices and the issue of consent.

Summary

Notwithstanding Brexit, we are set to see a changing landscape within the world of UK data protection legislation, including, amongst other things:

• increased fines in the event of breach
• mandatory notification of breaches without undue delay
• increased rights for data subjects
• stricter consent requirements
• the obligation to appoint a data protection office