The UK is leaving the EU to avoid the bureaucracy from Brussels, which includes having to comply with the General Data Protection Regulation (GDPR). So far, so good. However, since the EU is so important to their economy, the UK’s local data laws will in effect have to be at very high-level — basically, GDPR-like — or else the EU won’t allow data transfers.
Then there is the GDPR’s new principal of extra-territoriality or territorial scope — something we’ve yakked a lot about in the blog — which means non-EU countries will still have to deal with the GDPR.
Finally, as a practical matter the GDPR will kick in before the UK formally exits the EU. So the UK will be under the GDPR for at least a year or more no matter what.
Greater legal minds than mine have already commented on all this craziness.
The UK government looked at the situation, and decided to bite the bullet, or more appropriately eat the cold porridge
Last week, the UK released a statement of intent that commits the government to scrapping their existing law, the Data Protection Act, and replacing it with a new Data Protection Bill.
This document is very clear about what the new UK data law will look like. Or as they say:
Bringing EU law into our domestic law will ensure that we help to prepare the UK for the future after we have left the EU. The EU General Data Protection Regulation (GDPR) and the Data Protection Law Enforcement Directive (DPLED) have been developed to allow people to be sure they are in control of their personal information while continuing to allow businesses to develop innovative digital services without the chilling effect of over-regulation. Implementation will be done in a way that as far as possible preserves the concepts of the Data Protection Act to ensure that the transition for all is as smooth as possible, while complying with the GDPR and DPLED in full.
In effect, the plan is to have a law that will mirror the GDPR, allowing UK companies to continue to do business as usual
The Bill will include the GDPR’s new privacy rights for individuals: the “right to be forgotten”, data portability, and right to personal data access. And it will contain the GDPR’s obligations for controllers to report breaches, conduct impact assessments involving sensitive data, and designate data protection officers.
What about the GDPR’s considerable fines?
The UK has also gone along with the EU data law’s tiered structure – fines of up to 4% of global turnover (revenue).
Her Majesty’s Government may have left the EU, but EU laws for data privacy and security will remain. The GDPR is dead, long live the GDPR!
Of course, the new Bill will have its own articles, with different wording and numbering scheme than the GDPR. And legal experts will no doubt find other differences — we’ll have to wait for the new law. Having said that, our considerable resources on the EU data law remain relevant.
For UK companies reading this post and looking for a good overview, here are three links that should help:
- What is the EU General Data Protection Regulation?
- Five Things You Need to Know about the GDPR
- GDPR: A Practical Guide
For a deeper dive into the GDPR, we offer for your edification these two resources:
And feel free to search the IOS blog and explore the GDPR on your own!