The EU’s General Data Protection Regulation (GDPR) is the most significant development in data protection law in the last 20 years. Given that Article 50 has been triggered and the UK is certainly leaving the EU, do we have to prepare for and comply with GDPR?
The answer is yes. Here are three reasons why:
1 – It is likely that GDPR will come before Brexit
Article 50 began a two year countdown to the end of the UK’s EU membership. Depending on negotiations, the latest that the UK will leave the EU is now 23 March 2019. Therefore, when GDPR becomes applicable on 28 May 2018 it is highly likely that the UK will still be a member.
As an EU ‘Regulation’, GDPR will automatically become law in all EU member states.
2 – The UK plans to pass a Great Repeal Bill
The Great Repeal Bill will end the supremacy of EU law in the UK. However, this legislation will also enshrine all current EU law as UK law – otherwise there would be a problematic ‘black hole’ in UK law where EU law once applied. After the Great Repeal Bill is passed, the Government will then begin the process of ‘unpicking’ the old EU laws. However, this means is that GDPR is likely to be enshrined in UK law (at least for a while).
3 – The UK may have to ‘match’ the GDPR in any event
The current EU data protection regime requires anyone outside of the EU to deal with EU data according to EU standards. This is currently done in one of two ways: Either (1) the EU formally acknowledges that a non-EU country’s data protection laws are ‘adequate’, or (2) any company dealing with EU data is contractually obliged to meet these standards when trading with EU entities.
So, if the UK wishes to trade with the EU and data is involved (which it certainly will be), UK traders will have to abide by standards similar to those under GDPR anyway. By way of example, the United States had previously relied on its ‘Safe Harbour’ framework to facilitate the transfer of EU data to U.S. companies. However, the European Court of Justice declared the Safe Harbour invalid in 2015. The U.S. is now negotiating the new ‘Privacy Shield’ with the EU to guarantee data protection standards.
What are some of the main changes and what do I have to do?
Some of the changes under GDPR include:
- New obligations for data processors;
- Greater penalties for data protection breaches;
- More stringent rules on data breach reporting;
- More stringent conditions on obtaining consent;
- More stringent rules on the provision of information to data subjects;
- Businesses will bear their own responsibility for risk assessment and general compliance, and will have to be able to prove compliance through documentary evidence;
- New technologies and business models must have data protection ‘built in’;
- Data subjects will have the “right to be forgotten”; and
- Data subjects will have the right to data portability (i.e. to have data provided to them in a commonly used or machine-readable format, or transferred to other data controllers with ease).
For more information on the GDPR and those steps that you need to take now to be ready for its implementation, see our Guide to the new General Data Protection Regulation: http://www.cripps.co.uk/wp-content/uploads/2017/05/Guide-to-the-new-General-Data-Protection-Regulation.pdf.