Data Protection Update

Data Protection Update


In the brink of the Brexit vote we have been asked by a number of clients how this impacts the introduction of the General Data Protection Regulation (GDPR) which was scheduled to automatically come into force on 25 May 2018.

  • Firstly, Article 50 is unlikely to be triggered before the end of the year and there is also expected to be a two year exit period. Of course that could be reduced or extended.  But, at the moment, it looks like the UK will still be in the EU when the GDPR comes into force.  Unless expressly agreed as part of our exit negotiations then all new EU laws - including the GDPR - will apply in the UK.
  • Secondly, the Information Commissioner’s Office is on record as calling for reform of the existing Data Protection Act 1998. If the UK wishes to remain within the “club” of countries that can freely share EU derived personal data, then it will need to demonstrate “adequacy”. This will no doubt be a point for negotiation but the easiest way to demonstrate adequacy will be for the UK to retain the GDPR post Brexit.  The “one stop shop” mechanism is one of the areas which can probably be dropped if the UK wishes. Over the longer term there may be some divergence with the UK continuing to take its historically pragmatic approach.

Our advice remains to continue to prepare for the coming GDRP although many clients will wish to “soft peddle” for the time being. Whatever happens few organisations will go far wrong by ensuring that they have a proper understanding of the HR data that they process and have appropriate security measures in place. To learn more about the practical steps required to implement the GDPR click here.

Finally, in recent days the European Commission has formally approved the so called “Privacy Shield” for transfers from 1 August 2016. This is a self-certification scheme for US companies which, effectively, allows them to share EU derived data by “opting in” to EU data protection law. It replaces the Safe Harbor which was invalided by the ECJ back in October 2015. As most large corporations have already entered into “model agreements” there will be no reason for most clients to do anything. It does however provide another means of legitimising transfers. To learn more about cross border data flows click here.