Following the recent Leave vote, many businesses will no doubt
be left bewildered as to the likely short-term and long-term
effects that Brexit will have on UK data protection law, and what
these effects will mean in practical terms. In particular, what
does Brexit mean in relation to the European General Data
Protection Regulation (GDPR), and what steps can organisations take
to prepare and protect themselves?
The GDPR was published in the European Official Journal in May
this year, starting a 'sunrise period' that will see its
provisions take effect across the EU from 25th May 2018 (please see
Cyber security: Three quick wins for in-house
counsel').Of course, the summer of 2018 is now
likely to be the time that the UK exits the EU, and it might
therefore be tempting to consider the GDPR as largely redundant for
UK organisations. It seems, however, there are two reasons that
suggest the UK will proceed to adopt a law equivalent to the
If the UK is no longer a member of
the EU, it would be designated a 'third country' and as
such would have to demonstrate that it provides adequate protection
for EU citizens' personal data. It is by no means a foregone
conclusion that the European Commission would make such an adequacy
finding in respect of the UK. This could mean that organisations
established in the EU Member States would have the same
difficulties in transferring personal data to the UK as they are
currently finding with transfers of such data to the US.
The GDPR applies to organisations
located outside the EU, but whose goods and services are aimed at
EU citizens. Accordingly, any UK organisations selling goods or
services to EU citizens will have to observe its provisions or risk
penalties (up to 4% worldwide annual turnover /
It seems likely, therefore, that the UK will ensure the Data
Protection Act 1998 (DPA) is brought into line with the GDPR, so as
not to fall foul of the EU's requirement for adequate
protection of its citizens' data. In addition, and irrespective
of any changes to national provisions, UK services selling products
and services to citizens of the EU will still be subject to the
GDPR due to its extra-territorial reach. This was confirmed by the
Information Commissioner's Office (ICO) on the
day of the referendum result, stating that "...UK data
protection standards would have to be equivalent to the EU's
General Data Protection Regulation framework starting in
The likelihood seems to be that the UK will need to adopt more
stringent data protection laws, whether this be through an enhanced
DPA or a close equivalent to the GDPR. Organisations should
continue to follow the advice of the ICO in respect of how best to
prepare for the GDPR, in particular by ensuring that they are
compliant with the DPA. They should give some thought to how they
will address the new obligations such as the right to be forgotten,
data portability and appointment of data protection officer,
subject to an element of "wait and see" vis-ŕ-vis
the final details of the new law.
While specific provisions are currently unknown, businesses can
put themselves in the best possible position by organising any data
currently held, and as the ICO advises in respect of the GDPR,
"document what personal data you hold, where it came from and
who you share it with". With negotiations between the UK and
the EU pending, the GDPR seems to be a strong indication, in one
form or another, of what is to follow in terms of data
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The fourth and final part of our mini-series on the draft ICO guidance on Consent, published on 2 March 2017, focuses on the practical impact the GDPR (General Data Protection Regulation) will have on how your organisation records and manages consent.
In light of the much anticipated ICO draft GDPR (the General Data Protection Regulation) Consent Guidance being published yesterday, 2 March 2017, we will be running a mini-series on the guidelines under consultation and the impact the GDPR will have on the much vexed position of consent and the impact on your business.
The first of our four discussions on the ICO guidelines for Consent will focus on the meaning of consent under the GDPR (General Data Protection Regulation) and how this change enhances the previous law on consent to data processing.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).