- 11 July 2016
- Privacy and Data Protection
In the pre-23 June 2016 world of certainty, stability and legislative timetabling, British businesses knew that, so far as their data protection obligations were concerned, they would have a couple of years to comply with the requirements of the new EU General Data Protection Regulation (GDPR), which was adopted in April this year and takes effect from 25 May 2018.
Most would agree that some reform was necessary. The current EU data protection regime is based on the Data Protection Directive, introduced in 1995. Our very own Data Protection Act (DPA), which brought British laws on data protection in line with that Directive, was enacted, for the most part, over 15 years ago, in an era when phones weren’t “smart”, online marketing was in its infancy, employee records were still largely kept in metal filing cabinets and binoculars were a useful surveillance tool. A lot has changed.
What has also – possibly – changed is the UK’s future requirement to enact EU Directives into domestic law. So, as several of our clients have already asked in the past couple of weeks, what now for the GDPR? Should we brief senior management, designate a Data Protection Officer, update our Subject Access Procedure and so on? Or should we assume the GDPR will never apply?
Chambers and Partners
The Clarkslegal team are commercial and good to work with. They get what our business needs and tell me what I need to hear.
Afraid we can’t really say definitively.
This was the view of the Information Commissioner, Christopher Graham, in a recent press release:-
“With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens. The ICO’s [Information Commissioner’s Office’s] role has always involved working closely with regulators in other countries, and that will continue to be the case. Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary.”
However, the Government view is rather less positive. The UK minister responsible for data protection, Baroness Neville-Rolfe, recently acknowledged that “for a period the future will be more uncertain” and that it is not certain if the GDPR will apply in the UK:-
“On one hand if the UK remains within the single market EU rules on data might continue to apply fully in the UK. On other scenarios we will need to replace all EU rules with national ones. Currently it seems unlikely we will know the answer to these questions before the withdrawal negotiations get under way.”
So what is the best approach now for a forward-thinking and well-prepared business?
- Certainly, continue to ensure carefully that you understand and comply with obligations under the DPA. As the ICO has stated in its advice on the GDPR, “many of the principles in the new legislation are much the same as those in the current DPA. If you are complying properly with the current law, then you have a strong starting point to build from. But there are important new elements, and some things will need to be done differently.”
- Monitor developments and ensure you are ready to respond. For example, if the GDPR is enacted, you will need to designate a Data Protection Officer or equivalent.
- And, finally, please don’t assume that we will avoid enacting the GDPR. Any UK business involved in cross border transfers of personal data in the EU post-Brexit (and that is potentially a huge number, be this employee or customer data) will, in all likelihood, need to be subject to national data protection laws at least as stringent as those envisaged by the GDPR, or those transfers will become far, far more difficult.
The problems that can easily arise where another national regime is not viewed as stringent enough was very well demonstrated after the Schrems decision in the European Court of Justice last year (which related to Facebook’s transfers of personal data to the US). This struck down the EU-US “Safe Harbour” agreement which had allowed personal data to be transferred legally between EU countries and the US for 15 years and which some 4,000 US companies relied on. Teams of EU and US negotiators have been valiantly trying to put in place a replacement for over two years, but this is not yet agreed and may not even be effective legally. Don’t for a minute think it would be easier for the UK and EU to negotiate a post-Brexit Safe Harbour-style agreement!
And the alternatives – so-called “Binding Corporate Rules” within a corporate group or a binding data transfer agreement between a data transferor in an EU country and a data recipient in the UK – would each be subject to approval from relevant national data protection regulators, bringing inevitable delay and expense.
In short, enactment of the GDPR (or something closely equivalent) into our national law, despite some of its more onerous aspects, might well be the preferred option for businesses which carry out data transfer from and to the EU.
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.
Read, listen and watch our latest insights
- 22 February 2024
Time to take the heat off menopausal women
On 22 February 2024, the EHRC released guidance and resources for employers designed to help employers understand their legal obligations in relation to supporting workers experiencing menopausal symptoms.
- 22 February 2024
Talking Employment Law: What to do if you’re at risk of redundancy
In this podcast, Harry Berryman and Rebecca Dowle, members of the employment team, will talk through the steps that need to be taken for a redundancy to be fair and the range of criteria that can be used when determining which employees will be made redundant.
- 21 February 2024
FAQs Partner Visa UK
Discover the UK Spouse Visa: eligibility, finances, relationship criteria, and the latest updates in 2024 for a successful application.
- 19 February 2024
- Privacy and Data Protection
The role of Data Protection Officers in ensuring compliance
How many of us receive marketing calls for products and services we did not sign up for?
- 12 February 2024
The World of Work in 2024- What Can HR Expect?
In many senses, 2024 is unlikely to be a year with radical ruptures from those that have gone before it. The significance of 2024 though, is that it is likely to build upon those megatrends impacting the world of work, which have been emerging for some time now and are only likely to strengthen as we move on in time.