How can we help?


UK Data Protection: A little part of us that will forever be Europe?

In the pre-23 June 2016 world of certainty, stability and legislative timetabling, British businesses knew that, so far as their data protection obligations were concerned, they would have a couple of years to comply with the requirements of the new EU General Data Protection Regulation (GDPR), which was adopted in April this year and takes effect from 25 May 2018.

Most would agree that some reform was necessary. The current EU data protection regime is based on the Data Protection Directive, introduced in 1995. Our very own Data Protection Act (DPA), which brought British laws on data protection in line with that Directive, was enacted, for the most part, over 15 years ago, in an era when phones weren’t “smart”, online marketing was in its infancy, employee records were still largely kept in metal filing cabinets and binoculars were a useful surveillance tool. A lot has changed.

What has also – possibly – changed is the UK’s future requirement to enact EU Directives into domestic law. So, as several of our clients have already asked in the past couple of weeks, what now for the GDPR?  Should we brief senior management, designate a Data Protection Officer, update our Subject Access Procedure and so on? Or should we assume the GDPR will never apply?

Chambers and Partners

The Clarkslegal team are commercial and good to work with. They get what our business needs and tell me what I need to hear.

Afraid we can’t really say definitively.

This was the view of the Information Commissioner, Christopher Graham, in a recent press release:-

“With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens. The ICO’s [Information Commissioner’s Office’s] role has always involved working closely with regulators in other countries, and that will continue to be the case. Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary.”

However, the Government view is rather less positive. The UK minister responsible for data protection, Baroness Neville-Rolfe, recently acknowledged that “for a period the future will be more uncertain” and that it is not certain if the GDPR will apply in the UK:-

“On one hand if the UK remains within the single market EU rules on data might continue to apply fully in the UK. On other scenarios we will need to replace all EU rules with national ones. Currently it seems unlikely we will know the answer to these questions before the withdrawal negotiations get under way.”

So what is the best approach now for a forward-thinking and well-prepared business?

  • Certainly, continue to ensure carefully that you understand and comply with obligations under the DPA. As the ICO has stated in its advice on the GDPR, “many of the principles in the new legislation are much the same as those in the current DPA. If you are complying properly with the current law, then you have a strong starting point to build from. But there are important new elements, and some things will need to be done differently.”
  • Monitor developments and ensure you are ready to respond. For example, if the GDPR is enacted, you will need to designate a Data Protection Officer or equivalent.
  • And, finally, please don’t assume that we will avoid enacting the GDPR. Any UK business involved in cross border transfers of personal data in the EU post-Brexit (and that is potentially a huge number, be this employee or customer data) will, in all likelihood, need to be subject to national data protection laws at least as stringent as those envisaged by the GDPR, or those transfers will become far, far more difficult.

The problems that can easily arise where another national regime is not viewed as stringent enough was very well demonstrated after the Schrems decision in the European Court of Justice last year (which related to Facebook’s transfers of personal data to the US).  This struck down the EU-US “Safe Harbour” agreement which had allowed personal data to be transferred legally between EU countries and the US for 15 years and which some 4,000 US companies relied on. Teams of EU and US negotiators have been valiantly trying to put in place a replacement for over two years, but this is not yet agreed and may not even be effective legally. Don’t for a minute think it would be easier for the UK and EU to negotiate a post-Brexit Safe Harbour-style agreement!

And the alternatives – so-called “Binding Corporate Rules” within a corporate group or a binding data transfer agreement between a data transferor in an EU country and a data recipient in the UK – would each be subject to approval from relevant national data protection regulators, bringing inevitable delay and expense.

In short, enactment of the GDPR (or something closely equivalent) into our national law, despite some of its more onerous aspects, might well be the preferred option for businesses which carry out data transfer from and to the EU.

About this article


This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

About this article

Read, listen and watch our latest insights

  • 22 September 2023
  • Employment

Talking Employment Law: New family friendly rights

In this first podcast in the ‘Talking Employment Law’ series, Lucy Densham Brown and Rebecca Dowle, members of the employment team summarise some of the big new family-friendly Bills that are working their way through parliament.

  • 20 September 2023
  • Commercial Real Estate

Commercial buyers beware of residential Stamp Duty Land Tax

This article discusses a recent case in which a property buyer calculated the Stamp Duty Land Tax due on the purchase at a lower rate, due to the mixed-use purpose of the property.

  • 19 September 2023
  • Privacy and Data Protection

Organisations’ use of social media: Data protection

Social media applications (or commonly known as ‘apps’) are being developed all the time and we are constantly being introduced to new social media platforms, some of which take almost no time to gain huge popularity.

  • 14 September 2023
  • Immigration

Entrepreneurial Dreams: What is the Innovator Founder Visa?

In an era defined by innovation and entrepreneurship, the United Kingdom has made a substantial effort towards fostering its reputation as a global hub for start-ups and innovators. The introduction of the UK’s ‘Innovator Founder’ route has marked a pivotal moment in the country’s immigration policy.

  • 11 September 2023
  • Corporate and M&A

Changes to the tax treatment of Employee Ownership Trusts

The government published a consultation on 18 July 2023 seeking the public’s views on its proposals to reform the tax treatment of Employee Ownership Trusts and Employee Benefit Trusts. Parties are invited to express their opinions via email via the government website until the consultation closes on 25 September 2023.

  • 08 September 2023
  • Immigration

Navigating the Latest Immigration Rules for Overstayers in the UK: A Comprehensive Guide for 2023

Staying beyond the expiration of your UK visa is a serious matter that, in most cases, can result in significant and long-lasting repercussions.