The EU Withdrawal Act 2018: What does it mean for information rights practitioners?

By Susan Wolf

Amidst all the media attention about the resignation of David Davis and Boris Johnson, and what type of deal (if any) the UK will end up with, uncertainty seems to be the current default setting in British politics. However, there is one certainty that may have escaped many people’s attention, namely that the European Union (Withdrawal) Act 2018 received Royal Assent on 26 June 2018. Many would be forgiven for not noticing that after over 270 hours debate in Parliament (during which the government was forced to concede some significant amendments proposed by the House of Lords) the Bill became law on 26thJune. Many would also be forgiven for not knowing what the Act does or what it is trying to achieve. This guide is intended to briefly summarise the EU Withdrawal Act 2018. Further and more detailed information will be provided in follow up blogs on the impact of Brexit on the GDPR, EIR  and the PECR.

Why was it necessary to enact the EU (Withdrawal) Act  and what does it do?

EU law covers many areas of daily life, including employment law, environmental law and of course data protection law.  EU legislation, enacted by the EU institutions, takes the form of:

  • EU Regulations (such as the General Data Protection Regulation 2016). EU Regulations are described as ‘directly applicable’. This means that they require no national implementing legislation, because they automatically become part of domestic law when enacted by the EU institutions. EU Regulations are designed to ensure that the law is uniform throughout the EU.
  • EU Directives are quite different from EU Regulations. Directives set out the objectives that are to be achieved but leave some degree of latitude to Member states on how to achieve them. Directives require Member States to introduce national legislation in order to bring the provisions of the directive into force.
    • For example, the Environmental Information Regulations (EIR) 2004 is a piece of domestic law that implements the provisions of the EU Directive on Public Access to Environmental Information 2003/4/EC.
  • Most EU Directives are implemented into domestic law by means of statutory instruments, but the Data Protection Directive 95/46/EC was implemented into domestic law by the Data Protection Act 1998. The Law Enforcement Directive 2016/680/EU has been implemented into domestic law by Part 3 of the Data Protection Act 2018.

The European Communities Act (ECA) 1972is the statutory mechanism that enables such EU legislation to have legal effect in the UK. In particular it allowed EU regulations to take effect in domestic law and gave Ministers powers to introduce secondary legislation to implement directives.

The referendum decision on 23rd June 2016, in favour of leaving the EU meant that the European Communities Act 1972 had to be repealed. However, repealing the ECA 1972 would have resulted in large areas of EU law and regulation no longer having any legal effect in the UK. It is widely recognised that this would have created a “black hole’ in the domestic statute book and huge amount of legal uncertainty about the applicable law and the rights previously conferred by EU Law.

The EU (Withdrawal) Act 2018 repeals the European Communities Act from the date that we leave the EU, 29thMarch 2019. However, to avoid the problem described above, the Act essentially ‘converts’ EU law as it stands at the time we exit the EU into domestic law. It also ‘preserves’ all laws made in the UK to implement EU obligations (such as the Environmental Information Regulations 2004).  In a nutshell it means that all the laws and regulations made over the last 40 years, while the UK was an EU Member State, will continue to apply after Brexit. Contrary to what members of the public may have believed when they voted in favour of leaving, EU law will continue to have force in the UK after the date of exit.

This means the following will continue to have effect after the date when the UK leaves the EU:

  • The GDPR 2016
  • The Environmental Information Regulations 2004
  • The Law Enforcement Directive 2016 provisions in Part 3 of the Data Protection Act 2018
  • The Privacy and Electronic Communications (EC Directive) Regulations 2003

After the UK has exited the EU in March 2019, Parliament will be able to decide which of the ‘EU retained’ laws and regulations it wishes to keep, repeal or amend. Ministers will be given wide-ranging and somewhat controversial powers to make these changes by secondary legislation. In particular, there has been criticism about the use of secondary legislation (and the lack of parliamentary scrutiny) to potentially repeal important statutory provisions.

The extent to which these powers may be exercised and may impact on current EU law information rights and data protection law, including the GDPR, the Privacy and Electronic Communications Regulations, the Environmental Regulations and the Law Enforcement Directive will be considered in subsequent blogs and forthcoming webinars.

Judicial interpretation of retained EU Law

The courts and tribunals of the Member States have a legal obligation to interpret national law that gives effect to EU law, in a purposive manner. This means there is a duty on the courts to do what is within their jurisdiction to interpret national law in a manner that best achieves the results laid down in EU law, and offers the effective protection of any legal rights conferred by EU law.   This is known as ‘indirect effect or the duty of sympathetic interpretation’. For example, the Information rights Tribunal has frequently cited the aims of the Environmental Information Directive as an aide to the interpretation of the EIR 2004.  The Directive requires that the exceptions to disclosure are interpreted in a restrictive manner, and there is clear evidence that the First Tier and upper tribunals have taken this on board in their decision-making.

Post Brexit, the national courts will no longer be bound to do this.  However, it is unlikely that the national courts will return to the traditional ‘literal’ approach to interpretation. Increasingly the national courts have shown a willingness to interpret most legislation in a purposive fashion and this is unlikely to change as a result of Brexit.

Where the courts have been faced with the interpretation of national law that gives effect to EU law, then they have been able to refer questions to the Court of justice of the European Union, using the ‘preliminary rulings procedure’.  The preliminary rulings of the CJEU are currently binding and seek to ensure that the law throughout Europe is uniformly interpreted. As many information rights practitioners will know, the CJEU has handed down some significant rulings on the interpretation of the 1995 Data Protection Directive 1995/46/EC (such as the famous Lindqvist case in 2001 on the processing of personal data on the internet [1]) and on public authorities under the Environmental Information Directive 2003/4/EC in Fish Legal v the Information Commissioner. [2] In the interest of certainty, these previous rulings, in so far as they relate to retained EU law provisions, are still to be regarded as binding.

The continuing relevance of these decisions and the role of the Court of Justice, post Brexit, will be considered in a later Blog.

[1]Case C 101/01 Criminal proceedings against Bodil Lindqvist

[2]  Case C-279/12 Fish Legal and Emily Shirley v Information Commissioner and Others

We are running GDPR and DPA 2018 workshops throughout the UK. Head over to our website to book your place now.

There is one space remaining on our GDPR Practitioner Certificate Intensive course in London starting on 20th August. Book now.

Need to train frontline staff quickly? Try our extremely popular GDPR e-learning course.

Dont forget about our GDPR Helpline, its a great tool to use for some advice when you really need it.

Act Now Launches GDPR Handbook

We all know that the General Data Protection Regulation (GDPR) cannot be read in isolation.

In September, the DCMS published the Data Protection Bill. Amongst other things, it sets out how the UK Government intends to exercise its GDPR “derogations”; where Members states are allowed to make their own rules.

There are also a number of guidance documents from the Information Commissioner’s Office as well as the Article 29 Working Party on different aspects of GDPR. Wouldn’t it be useful to have one version of the GDPR containing clear signposts to the relevant provisions of the Bill and official guidance under each Article/Recital?

Act Now is pleased to announce the launch of its GDPR Handbook. This is a B5 size colour document. It is designed for data protection practitioners who want a single printed resource on the GDPR. It contains the full text of the GDPR together with:

  • Corresponding GDPR Recitals under each Article
  • Notes on the relevant provisions of Data Protection Bill
  • Links to official guidance and useful blog posts
  • Relevant extracts of the Data Protection Bill (in the Appendices).

A lot of the useful explanation of the provisions (Articles) is contained in the Recitals, which are at the front of the official text of the GDPR. Consequently, the reader has to constantly flick back and forth between the two. By placing the corresponding Recitals under each Article, the Act Now GDPR Handbook allows a more natural readying of the GDPR.

The Act Now GDPR Handbook is currently on sale at the special introductory price of £29.99. There is a 33% discount for the public sector and charities.

This will be a very useful document for those acting as Data Protection Officer under GDPR as well as data protection lawyers and advisers.

CHARITY DONATION

In recent weeks, half a million people, mostly Rohingya women and children, have fled violence in Myanmar’s (Burma) Rakhine state. They are seeking refuge in Bangladesh, where they urgently need food, water, shelter and medical care.

For each copy of the GDPR handbook you order, Act Now Training will donate £1 to the Disasters Emergency Committee’s Emergency Appeal.

By popular demand, we have added an extra course in Manchester for our GDPR Practitioner Certificate. Our first workshop on the Data Protection Bill course is fully booked. We have places left in London and Manchester.

The GDPR, the Data Protection Bill and Complaints

By Scott Sammons

The General Data Protection Regulation (GDPR) and the recently announced Data Protection Bill (DP Bill) are bigger pieces of legislation than the old Data Protection Act 1998. We already know that remedies and complaints under the Regulation are more wide ranging and entities, in effect, are now to be seen as guilty until proven innocent (reference the need to be able to ‘demonstrate compliance’ in Article 5(2)).

Both the GDPR and the DP Bill give the Data Subject the right to lodge a complaint with the Information Commissioner if the Data Subject considers that, in connection with personal data relating to him or her, there is an infringement of the GDPR (GDPR Article 57 and DP Bill Section 156).

In Article 38 (4) of the GDPR, it implies that Data Subjects can raise matters (complaints) with the Data Protection Officer but doesn’t explicitly state that Data Subjects can ‘lodge a complaint with the controller or processor’. The GDPR outlines that they can exercise their rights on the controller/processor (some of which, like the right to object to automated decision making, are often only really used if the Data Subject is unhappy about something). Therefore, as with today, you will want to encourage Data Subjects (should they have a concern) to bring it to you directly rather than go to the Information Commissioner. It is likely that the ICO will continue their stance of referring complainants back to the organisation concerned first if they have just gone straight to the ICO, but I wouldn’t rely on this if I was you. The world is changing, and in order to truly embed the transparency and accountability requirements of GDPR it is far better to have a visible complaints process for Data Subjects up front.

Also, neither the GDPR nor the DP Bill explicitly states that the Data Protection Officer should be the one to investigate and resolve GDPR related complaints. They do however, in Article 39 (1)(b) and Section 69 (1)-(3) respectively, state that the DPO should ‘monitor compliance’ with the GDPR and DP Bill. Therefore the DPO should definitely be part of the complaints process, especially for ‘high risk’ complaints, but as for investigating every single complaint, I can’t see an explicit requirement for that. Therefore if you’re the DPO for your organisation reading this or the IG/DP team member that will investigate DP complaints from data subjects then this may be of use to you.

Due to the above, however, this does mean that when investigating complaints and/or accusations of non-compliance with the GDPR (or the DP Bill), you will need to be more thorough and more specific in determining exactly where a ‘breach’ may or may not lie.

For many of you this will be old news and you are most probably already doing this, but to many people formal training in ‘complaint handling’ and investigation is something new. Hopefully you’ll find this useful, and it should follow the same sort of process and standards many organisations (especially those that are regulated) will have in place.

Firstly, many people will accuse you / your organisation of wrong doing and often provide a list of areas where they believe you have gone wrong. Some will be genuine and some will be utter nonsense. But you will need to be thorough to ensure that you can genuinely separate out what is a valid complaint and what is someone’s misunderstandings/ventings/vendettas. Always start from a position of an ‘accusation is not a fact’, regardless of the ICO position of ‘guilty until proven innocent’, any failing in your compliance controls will need evidencing and a thorough complaint investigation will determine that. Each accusation should be taken seriously but it will need to be investigated and evidenced to determine whether or not it is a valid complaint and there is a ‘case’ to be answered.

When investigating the matter at hand start at the very beginning. What started this person down this path to lodge a complaint? What were the interactions with your service? Were things done correctly? Can you evidence that a particular action (either good or bad) was actually carried out or is it a case of a staff member’s word vs the complainants? As you would with a legal case look for evidence to establish facts, the less evidence you have the more likely you are to have a weak case to defend. The more evidence you have the more you can prove one way or another what occurred and if the complaint has merit.

It is likely that during your investigation you’ll determine that x process was not followed or y system failed resulting in the errors causing the complaint. If you are able to come to the conclusion that processes, systems or any controls have indeed failed it may also be worth logging an ‘adverse incident’ on the controls that have failed.

For those that have seen any of my previous post on Information Risk, when you put things in place to prevent your risks from materialising these are referred to as “controls”. These controls can range from policies, procedures, training, technical solutions, and system design to anything really that helps you control that risk. When a control or controls fails this should be recorded as an ‘incident’ so that  you can monitor the effectiveness of your controls and ensure whatever remedy you put in place to stop it re-occurring, actually helps that control (and isn’t just a default response of punish or train the staff member).

But I digress; let us go back to the complaint. Once your investigation is complete and for each aspect of the complaint you can conclude what has and what has not occurred you can start to draft a response and determine what parts of the complaint are ‘upheld’, ‘not upheld’ or ‘partially upheld’. If you imagine the ‘shopping list’ of accusations I referenced above, for each item on that list you should have a position of upheld, not upheld or partially upheld. If at any point:

Upheld is where you agree with the complainant and there is a case to be answered for. It is then up to you how you want to proceed with that complaint based on what standards and approach your organisation takes to resolving complaints. Where a complaint does look like it is to be upheld (and indeed with any ‘high risk’ complaints) you will also need to agree the outcome and actions with the Data Protection Officer.

Partially upheld are, as it says on the tin, areas where there is some merit to their complaint but it didn’t occur as they outline and/or the impacts they describe are heavily inflated / incorrect. This may still be a ‘high risk’ area even though it may only be partially upheld, therefore you may still need to ensure you have DPO sign off before issuing the response.

Not upheld are simply where you cannot evidence that what the complainant says occurs actually occurred or you have evidence to the contrary therefore their complaint is unfounded and can be, for want of a better word, rejected.

When responding back to the complainant you will need to run through each aspect of their complaint and outline your findings and why you have upheld or not upheld that aspect of their complaint. There could, for large complaints, be a mixture of upheld, partially upheld, and not upheld for the various different areas they are claiming you have not complied with the law.

If you can record all of the above, with the supporting evidence, should the complainant indeed then take their complaint to the ICO the majority of your investigative work should be complete. It can then be quickly investigated or even ‘reviewed’ by another party if that’s what your organisation prefers. In any event, if you’re the DPO or the person supporting the DPO in their tasks, this should make it easier to log, track, resolve and learn from complaints if and when you get them. Of course the ideal would be to not get any complaints, but in this world however that is never going to happen.

Life is far too imperfect, but a ‘close to perfect’ complaints and incidents process should help you manage your GDPR compliance and give you useful insight into what is going right and wrong in your organisation.

 

Scott Sammons FIIM, CIPP/E, AMIRMS is Chair of the Information and Records Management Society (IRMS) and sits on the Exam Board for our GDPR Practitioner Certificate courses (3 out of the next 5 are fully booked).

 

We have added a new course on the Data Protection Bill to our programme.

GDPR Guidance finalised and more published

Unless you live on the planet Zog, you will be aware that the General Data Protection Regulation (GDPR) will come into force on 25th May 2018. Neither Brexit nor the recently announced General Election will have an impact on this date; GDPR is here to stay. There has been a flurry of activity from the Information Commissioner’s Office (ICO) and the Article 29 Working Party (A29WP) on the GDPR front of late.

Consent

Consent under GDPR is a thorny issue. Compare the old and the new definitions below:

Using opt out boxes and inaction as proof of individuals’ consent to processing will no longer be allowed (if indeed they ever were!). Last month the ICO launched its GDPR consent consultation. The deadline for responses has now passed but the document is still worth reading to understand how the landscape is changing.

Profiling

GDPR introduces stricter provisions to protect individuals from a type of data processing known as “profiling”. This is defined in Article 4:

“Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.”

The GDPR gives individuals a right to know profiling is taking place and in some cases allows them to object to it or require human intervention.

The ICO’s discussion paper on this topic highlights the key areas it feels need further consideration. This includes subjects like marketing, the right to object and data minimisation. The deadline for feedback is 28th April 2017. The A29WP guidelines on profiling are due to be published later this year and any feedback the ICO receives will inform that work.

Data Portability

Article 20 of GDPR gives individuals the right to receive their personal data, which they have provided to a Data Controller, in a structured, commonly used and machine-readable format, and to transmit it to another Data Controller. This is known as the right to data portability.

In December 2016, the A29WP published draft guidance on this right and a useful FAQ. The final version was published on 5th April 2017. The key themes are the same but the latest version does clarify a few points and gives better examples. Here are the two documents compared.

Data Protection Officer

Section 4 of GDPR introduces a statutory position of Data Protection Officer (DPO) who will have a key role in ensuring compliance with GDPR. But who exactly will need a DPO and what is his/her role? The A29WP has now produced the final version of its DPO guidance, which was published for comments in December. Here are the two documents compared. Again the main themes of the documents are the same with some welcome clarifications in the final version.

Lead Supervisory Authority

Companies will be directly responsible for GDPR compliance wherever they are based (and not just their EU based offices) as long as they are processing EU citizens’ personal data. For those that have multiple processing operations in the EU or where a breach occurs in many countries there will be a need to identify a lead supervisory authority, which will be charged with investigating the breach. The A29WP has now finalised its guidance on this topic.

Data Protection Impact Assessments

Article 35 of GDPR introduces the concept of a Data Protection Impact Assessment (DPIA). In some cases Data Controllers will be required to do a DPIA in relation to one or more data processing operations. It will help them assess necessity and proportionality and to manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data (by assessing them and determining the measures to address them).

Carrying out a DPIA is not mandatory for every processing operation. A DPIA is only required when the processing is “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1)). In certain situations a DPIA will be mandatory (see Article 35(3)).

The A29WP is requesting comments on the data protection impact assessment guidelines it recently published. The deadline is 23rd May 2017. Even if you don’t want to comment its still a useful document to read to understand what steps need to be taken to raise awareness of the DPIA processes and what training will be required for those undertaking this task.

Finally, the A29WP recently published its work programme for 2016 – 2018 accompanied by a supplementary statement explaining GDPR specific priorities.  As from 2018 it will become the European Data Protection Board.

 

Our full day workshops and new GDPR Practitioner Certificate courses are filling up fast. We also offer a GDPR health check service.

The Right to Data Portability under GDPR

The new General Data Protection Regulation (GDPR) will come into force on 25th May 2018. Whilst it will replaces the UK’s Data Protection Act 1998 (DPA), it still includes the right of the Data Subject to receive a copy of his/her data, to rectify any inaccuracies and to object to direct marketing. It also introduces new rights, one of which is the right to Data Portability.

Article 20 of GDPR allows for Data Subjects to receive their personal data, which they have provided to a Data Controller, in a structured, commonly used and machine-readable format, and to transmit it to another Data Controller. The aim of this right is to support user choice, user control and consumer empowerment. It will have a big impact on all Data Controllers but particularly data driven organisations such as banks, cloud storage providers, insurance companies and social networking websites. These organisations may find that customers are encouraged to move suppliers, as they will be armed with much more information than they previously had accessed to. This in turn may lead to an increase in competition driving down prices and improving services (so the theory goes; we live in hope!).

When the Right Can Be Exercised

Unlike the subject access right, the Data Portability right does not apply to all personal data held by the Data Controller concerning the Data Subject.  Firstly it has to be automated data. Paper files are not included. Secondly the personal data has to be knowingly and actively provided by the Data Subject. For example account data (e.g. mailing address, user name, age) submitted via online forms, but also when they are generated by and collected from the activities of users, by virtue of the use of a service or device.

By contrast personal data that are derived or inferred from the data provided by the Data Subject, such as a user profile created by analysis of raw smart metering data or a website search history, are excluded from the scope of the right to Data Portability, since they are not provided by the Data Subject, but created by the Data Controller.

Thirdly the personal data has to be processed by the Data Controller with the Data Subject’s consent or pursuant to a contract with him/her. Therefore personal data processed by local authorities as part of their public functions (e.g. council tax and housing benefit data) will be excluded from the right to Data Portability.

It is important to not that this right does not require Data Controllers to keep personal data for longer than specified in their retention schedules or privacy polices. Nor is there a requirement to start storing data just to comply with a Data Portability request if received.

Main elements of Data Portability

Article 20(1) gives a Data Subject two rights:

  1. To receive personal data processed by a Data Controller, and to store it for further personal use on a private device, without transmitting it to another Data Controller.

This is similar to the subject access right. However here the data has to be received “in a structured, commonly used, machine readable format” thus making it easier to analyse and share. It could be used to receive a playlist from a music streaming service, information about online purchases or leisure pass data from a swimming pool.

  1. A right to transmit personal data from one Data Controller to another Data Controller “without hindrance”

This provides the ability for Data Subjects not just to obtain and reuse their data, but also to transmit it to another service provider e.g. social networking sites and cloud storage providers etc. It facilitates the ability of data subjects to move, copy or transmit personal data easily. In addition it provides consumer empowerment by preventing “lock-in”.

The right to Data Portability is expected to foster opportunities for innovation and sharing of personal data between Data Controllers in a safe and secure manner, under the control of the data subject.

Time Limits

Data Controllers must respond to requests for Data Portability without undue delay, and within one month. This can be extended by two months where the request is complex or a number of requests are received. Data Controllers must inform the individual within one month of receipt of the request and explain why the extension is necessary.

Information is to be provided free of charge save for some exceptions. Refusals must be explained as well as the right to complain to the Information Commissioner’s Office (ICO).

Notification Requirements

Data Controllers must inform Data Subjects of the right to Data Portability within their Privacy Notice as required by Article 13 and 14 of GDPR.  (More on Privacy Notices under GDPR here.  See also the ICO’s revised Privacy Notices Code.)

In December 2016, the Article 29 Data Protection Working Party published guidance on Data Portability and a useful FAQ. (Technically these documents are still in draft as comments have been invited until the end of January 2017). It recommends that Data Controllers clearly explain the difference between the types of data that a Data Subject can receive using the portability right or the access right, as well as to provide specific information about the right to Data Portability before any account closure, to enable the Data Subject to retrieve and store his/her personal data.

Subject to technical capabilities, Data controllers should also offer different implementations of the right to Data Portability including a direct download opportunity and allowing Data Subjects to directly transmit the data to another Data Controller.

Impact on the Public Sector 

Local authorities and the wider public sector might be forgiven for thinking that the Data Portability right only applies to private sector organisations which processes a lot of personal data based on consent or a contract e.g. banks, marketing companies, leisure service providers, utilities etc. Major data processing operations in local authorities (e.g. for the purposes of housing benefit, council tax etc.) are based on carrying out public functions or statutory duties and so excluded. However a lot of other data operations will still be covered by this right e.g. data held by personnel, accounts and payroll, leisure services and even social services. An important condition is that the Data Subject must have provided the data.

The Government has confirmed that GDPR is here to stay; well beyond the date when the UK finally leaves the European Union. All Data Controllers need to assess now what impact the right to Data Portability will have on their operations. Policies and Procedures need to be put into place now.

Make 2017 the year you get prepared for the General Data Protection Regulation (GDPR). See our full day workshops and new GDPR Practitioner Certificate.

New Webinar on GDPR and the Right to Data Portability. Register onto the live session or watch the recording.

Brexit, Article 50 and the Great Repeal Bill: GDPR means GDPR

On Sunday Theresa May finally fired the starting gun for the process for the UK to leave the European Union. Article 50 of the Lisbon Treaty will be invoked “no later than the end of March next year” she told the Tory Party conference in Birmingham. This will give negotiators two years from the date of notification to conclude trading arrangements with Europe. Unless an earlier date is negotiated (very unlikely given the scale of the task), by April 2019 the UK will be on its own and no longer subject to EU laws.

The Prime Minister also promised a “Great Repeal Bill” in the next Queen’s Speech, to remove the European Communities Act 1972 from the statute book and enshrine all existing EU law into British law on the day of exit. There will then be a process whereby the vast amount of domesticated EU legislation will be sifted. The “good laws” will be retained, some laws amended and some excised from UK law altogether.

What impact do these announcements have on UK Data Controllers who are planning for implementation of the new General Data Protection Regulation (GDPR)? The answer in a nutshell (as I said in my July GDPR and Brexit blog post) is; keep calm and carry on (preparing)!

We now know that, whatever happens, UK Data Controllers will have to comply with GDPR for at least ten months. GDPR comes into force on 25th May 2018 but the Article 50 announcement means we will be in the EU (and subject to all its laws including GDPR) until at least the end of March 2019. Article 50 (3) states:

“The Treaties shall cease to apply to the State in question from the date of entry into force of the withdrawal agreement or, failing that, two years after the notification referred to in paragraph 2, unless the European Council, in agreement with the Member State concerned, unanimously decides to extend this period.”

However it seems now much more likely that UK Data Controllers will have to comply with GDPR for much longer beyond March 2019 (perhaps even indefinitely). The Great Repeal Bill  (if it is passed by Parliament) will implement the GDPR along with other EU legislation into our law on exit day. The Government must then decide to keep GDPR, amend it or go back to the drawing board. Practically speaking, keeping GDPR is the only option. Civil servants will have their work cut out examining 80,000 pages of EU agreements. At least with GDPR there is broad agreement amongst stakeholders including the ICO (see below) that it is a force for good.

Recently, in her first speech as the new UK Information Commissioner, Elizabeth Denham extolled the virtues of GDPR and reiterated the need to prepare for it regardless of the uncertainly about what the future relationship with the EU will look like. She also said in a BBC interview:

“The UK is going to want to continue to do business with Europe”.

“In order for British businesses to share information and provide services for EU consumers, the law has to be equivalent.

“The UK was very involved in the drafting of the regulation – it will likely be in effect before the UK leaves the European Union – so I’m concerned about a start and stop regulatory environment.”

Many of GDPR’s key provisions provisions such as breach notification and the new DP Principles will require careful planning. With some GDPR breaches carrying fines of up to 4% of global annual turnover or 20 million Euros, a “wait and see” approach would be very risky. Brexit from the EU does not mean Brexit from the GDPR. 

Act Now Can Help

We are running a series of GDPR webinars and workshops and our team of experts is available to come to your organisation to deliver customised data protection/GDPR workshops as well as to carry out health checks and audits. GDPR requires many Data Controllers to appoint a dedicated Data Protection Officer. Our GDPR Practitioner Certificate (GDPR.Cert), with an emphasis on the practical skills requited to implement GDPR, is an ideal qualification for those aspiring for such positions.

Exit mobile version
%%footer%%