How can we help?


UK Data Protection: A little part of us that will forever be Europe?

In the pre-23 June 2016 world of certainty, stability and legislative timetabling, British businesses knew that, so far as their data protection obligations were concerned, they would have a couple of years to comply with the requirements of the new EU General Data Protection Regulation (GDPR), which was adopted in April this year and takes effect from 25 May 2018.

Most would agree that some reform was necessary. The current EU data protection regime is based on the Data Protection Directive, introduced in 1995. Our very own Data Protection Act (DPA), which brought British laws on data protection in line with that Directive, was enacted, for the most part, over 15 years ago, in an era when phones weren’t “smart”, online marketing was in its infancy, employee records were still largely kept in metal filing cabinets and binoculars were a useful surveillance tool. A lot has changed.

What has also – possibly – changed is the UK’s future requirement to enact EU Directives into domestic law. So, as several of our clients have already asked in the past couple of weeks, what now for the GDPR?  Should we brief senior management, designate a Data Protection Officer, update our Subject Access Procedure and so on? Or should we assume the GDPR will never apply?

Chambers and Partners

The Clarkslegal team are commercial and good to work with. They get what our business needs and tell me what I need to hear.

Afraid we can’t really say definitively.

This was the view of the Information Commissioner, Christopher Graham, in a recent press release:-

“With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens. The ICO’s [Information Commissioner’s Office’s] role has always involved working closely with regulators in other countries, and that will continue to be the case. Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary.”

However, the Government view is rather less positive. The UK minister responsible for data protection, Baroness Neville-Rolfe, recently acknowledged that “for a period the future will be more uncertain” and that it is not certain if the GDPR will apply in the UK:-

“On one hand if the UK remains within the single market EU rules on data might continue to apply fully in the UK. On other scenarios we will need to replace all EU rules with national ones. Currently it seems unlikely we will know the answer to these questions before the withdrawal negotiations get under way.”

So what is the best approach now for a forward-thinking and well-prepared business?

  • Certainly, continue to ensure carefully that you understand and comply with obligations under the DPA. As the ICO has stated in its advice on the GDPR, “many of the principles in the new legislation are much the same as those in the current DPA. If you are complying properly with the current law, then you have a strong starting point to build from. But there are important new elements, and some things will need to be done differently.”
  • Monitor developments and ensure you are ready to respond. For example, if the GDPR is enacted, you will need to designate a Data Protection Officer or equivalent.
  • And, finally, please don’t assume that we will avoid enacting the GDPR. Any UK business involved in cross border transfers of personal data in the EU post-Brexit (and that is potentially a huge number, be this employee or customer data) will, in all likelihood, need to be subject to national data protection laws at least as stringent as those envisaged by the GDPR, or those transfers will become far, far more difficult.

The problems that can easily arise where another national regime is not viewed as stringent enough was very well demonstrated after the Schrems decision in the European Court of Justice last year (which related to Facebook’s transfers of personal data to the US).  This struck down the EU-US “Safe Harbour” agreement which had allowed personal data to be transferred legally between EU countries and the US for 15 years and which some 4,000 US companies relied on. Teams of EU and US negotiators have been valiantly trying to put in place a replacement for over two years, but this is not yet agreed and may not even be effective legally. Don’t for a minute think it would be easier for the UK and EU to negotiate a post-Brexit Safe Harbour-style agreement!

And the alternatives – so-called “Binding Corporate Rules” within a corporate group or a binding data transfer agreement between a data transferor in an EU country and a data recipient in the UK – would each be subject to approval from relevant national data protection regulators, bringing inevitable delay and expense.

In short, enactment of the GDPR (or something closely equivalent) into our national law, despite some of its more onerous aspects, might well be the preferred option for businesses which carry out data transfer from and to the EU.

About this article


This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

About this article

Read, listen and watch our latest insights

  • 10 July 2024
  • Employment

Redundancy : Back to Basics FAQs

Redundancy can be a scary and overwhelming time both for employees being made redundant, and for those that have to make the decision. It is important for both parties to know their rights and obligations in this time.

  • 09 July 2024
  • Public Procurement

Buyer Beware: Practical Guidance for Breach of Warranty in an SPA

Are you buying a business? Whether you are buying shares in a company or purchasing its assets… the general Latin common law principle “caveat emptor” applies.

  • 08 July 2024
  • Corporate and M&A

Navigating corporate transparency: ECCTA reforms series

This is the second article in a series exploring the changes brought by the Economic Crime and Corporate Transparency Act 2023 (ECCTA).

  • 08 July 2024
  • Immigration

Right to Work Check Guidance – Key Changes for Employers

This updated guidance introduces several significant changes aimed at streamlining the right to work verification process for employers.

  • 02 July 2024
  • Privacy and Data Protection

Data protection unlocked for HR: Introduction to data protection

Lucy Densham Brown and Sana Nahas from the data protection team will discuss data protection issues encountered by HR professionals in the first episode of the ‘Data Protection Unlocked for HR’ podcast series.

  • 27 June 2024
  • Employment

TUPE Podcast Series: What Transfers

In this sixth podcast in our TUPE Podcast Series, Amanda Glover will delve into the automatic transfer principle and what transfers to the incoming employer under TUPE.