Since the vote to leave the European Union, Data Protection commentators have been offering their views about what the future of privacy legislation in the UK will look like. Whilst GDPR will definitely apply from May 2018 for the processing of personal data about individuals in the remaining European Union States, there is some doubt about whether the GDPR will be implemented in the UK. Add to that the current review of the ePrivacy Directive (the origin of the UK’s PEC Regulations) and the picture becomes even more complicated.
The three most likely scenarios regarding GDPR seem to be:
- The GDPR is still implemented because of exit timing
The DMA, amongst others, believes it is highly likely that we will still be part of the European Union by May 2018 and will, therefore, have to implement GDPR.
- The future data protection regime is dictated by the terms of the exit deal
If the deal involves signing up to of EU laws in order to gain access to the single market, following the Norway Model we will still get the GDPR and the revised (for which read toughened up) ePrivacy Directive.
- The exit package does not require the adoption of EU laws therefore leaving the UK free to reintroduce its own Data Protection legislation.
This would allow the UK to adopt a more business friendly “GDPR – Lite” removing some of the tough provisions of the GDPR and ePrivacy but running the risk of putting the UK in a non- “adequate” position and hindering the exchange of data with Europe.
The ICO made its position clear in a statement as early as the 24th June,
“…if the UK wants to trade with the Single Market on equal terms we would have to prove ‘adequacy’ – in other words UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation”
However, after some “encouragement” from the Department for Culture, Media and Sport (DCMS) the Office subsequently softened this hard line position.
DCMS is, itself, currently consulting about the future of data protection legislation and is reportedly suggesting it might now be possible to have lighter touch legislation for those organisations which only market to UK individuals. Despite the inevitable workload for the new BREXIT department, DCMS is offering reassurance that data protection is being considered.
The problem for most marketing departments is that they cannot wait for the shoe to drop because GDPR requirements, if they are implemented, would mean major changes to database structures and working practices, all of which take time. Ignoring the possibility of GDPR being implemented is simply too risky.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.