Following the outcome of the UK's referendum on European Union membership, many organisations understandably remain uncertain about the future outlook of the data protection regime in the UK.
In his response to the referendum result, the Information Commissioner advised that, the ICO will be discussing with the UK government the implications of the referendum result on the UK data protection landscape over the coming weeks, maintaining that data protection reform remains necessary.
Although the nature of the data protection reform remains unclear, in its July blog, the ICO confirmed that one thing is certain: the European General Data Protection Regulation (GDPR) will still be relevant for many organisations in the UK. This is particularly the case for those offering goods or services into the EU or carrying out monitoring of EU citizens.
The ICO therefore decided to press ahead and publish the first part of its guidance on the GDPR, namely an overview of the law highlighting the key themes of the GDPR. It considers that this will still be useful for many organisations in the UK so that they can familiarise themselves with the GDPR’s main principles and concepts. The ICO also intends to continue with its plan of producing further guidance, although it points out that the timings for the guidance 'might not be so rigid'.
The GDPR will come into force across the EU on 25 May 2018 and will have direct effect without the need for separate national legislation. Since it seems unlikely that the Brexit negotiations will be finalised before then, this obviously raises some interesting questions on timing.
Although the government's approach to Brexit and the timing is not yet clear, as stated in our previous update, it is our view that any UK data protection laws are likely to closely mirror the major aspects of the GDPR.
If we remain in the European Economic Area (EEA) and re-join the European Free Trade Association (EFTA) in order to benefit from single market access, it is highly likely that we would be required to accept the GDPR. Even if we were to go it alone, it seems certain, particularly in view of the ICO's reaction, that the UK's data protection regime will require reform.
Organisations should continue with their GDPR compliance programmes, with a focus on ensuring that key policies and training are in place, as these will form the building blocks of the new data protection regime, whatever form it takes.
Putting in place effective breach notification processes and privacy impact assessment procedures are also key compliance tools that are best practice now and will assist with GDPR implementation in due course.
When drafting or reviewing clauses relating to applicable laws, it is important to ensure that flexibility is incorporated to encompass not only the current UK regime and the GDPR but also any future legislation applied in the UK in whatever form that may take.
Organisations offering goods or services into Europe will also need to consider in which Member State they will appoint a representative and therefore with which EU regulator they will liaise as their EU main regulator.
We will continue to provide updates on the Brexit negotiations and new ICO guidance.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at August 2016. Specific advice should be sought for specific cases. For more information see our terms & conditions.