Data Protection

Potential impact

  • Data protection compliance in the UK is currently based on the Data Protection Act 1998 – a UK statute implementing our interpretation of a 1995 European Directive.

  • For a more harmonised approach to data protection, the EU have been negotiating to reach agreement on the new General Data Protection Regulation (as opposed to a Directive). A Regulation does not require any implementing legislation from each member state as it has direct effect.

  • The new GDPR came into force on 24 May 2016, with a transition period of 2 years, meaning it takes full effect on 25 May 2018. It will automatically take effect in all countries which are member states of the EU on that date.

  • Therefore given the likelihood that Brexit will not take effect before March 2019, there is every likelihood that all UK organisations will need to comply with GDPR as of 25 May 2018 or risk being in breach of the applicable data protection laws.

  • Even after Brexit takes effect, the UK will need to adopt our own legislation in place of GDPR, but which is broadly similar in effect. Otherwise, there is every chance that the UK would not be regarded as a sufficiently compliant country for European member states to safely transfer data and conduct business.

What to do at this stage

  • As a result we all now have less than 2 years to prepare for and adapt our existing approach to data handling to meet the more stringent regime of the GDPR.

  • Achieving compliance with GDPR is not going to be a wasted effort as it will be work can then be leveraged from to ensure compliance with whatever UK legislation replaces GDPR upon Brexit – essentially this is a way of future-proofing compliance in this space.