The General Data Protection Regulation (GDPR) provides for harmonisation of the data protection regulations throughout the European Union. As it is an EU regulation, it therefore applies to the UK without the need for domestic legislation. This means that the GDPR will not apply directly to the UK once it has left the EU. However, for anyone thinking that Brexit means that we can forget about the GDPR, here are some of the reasons why this is not the case and why it still matters:
- GDPR comes into force on 25 May 2018. This is before the UK will have been able to leave through invoking Article 50 (of the Treaty on European Union). With some commentators saying that it could take anywhere from three to six years before an exit has been negotiated, there will inevitably be a period of time when UK organisations will have to comply with the GDPR when processing personal data relating to the country’s citizens.
- UK organisations which manage, store or process personal data relating to EU citizens will have to do so in accordance with the requirements of the GDPR.
- The Information Commissioner’s Office will continue to work with regulators in the EU and urge the government to continue with data protection reforms. It is likely that in an effort to demonstrate that the UK has safe and adequate measures in place to protect personal data, the government will adopt data protection reforms that mirror the requirements of GDPR. This is not least in part due to the data transfer rules which mean that once the UK ceases to be a member of the EU and therefore ceases to be within the EEA, it will have to prove adequate safeguards are in place to enable transfer of personal data from inside the EEA to the UK. The adoption of the GDPR requirements into domestic legislation will assist the UK in proving adequacy.
If you would like to find out more about the issues in this article or about how the Commercial & Technology team can help you please contact Sarah Williamson on 0118 952 7247 or email [email protected].
Consistent with our policy when giving comment and advice on a non-specific basis, we cannot assume legal responsibility for the accuracy of any particular statement. In the case of specific problems we recommend that professional advice be sought.