This week the UK Digital Economy Minister, Matt Hancock was challenged by the House of Lords committee on the UK’s plans for the GDPR.
The UK’s position so far:
The Great Repeal Bill and the activation of Article 50 from the Lisbon Treaty will mean the UK will no longer have to comply directly with European regulations. With this looming in the pipeline, there has been great uncertainty regarding which laws the UK will discard and which they will most definitely adopt. This has caused many UK companies to mistakenly halt their GDPR preparation plans.
On 25 May 2018, the toughest Privacy Law in European Business history, the GDPR will come into effect. Some of what will be introduced includes:
- Higher penalties for breaches, which will also impact Not For Profit agencies
- Mandatory Breach Notification
- Strengthened citizen rights regarding Consent
- Self-Assessment in managing data
- Mandatory PIAs for high risk activities
Based on our interactions with companies preparing for the GDPR, we can gather that it’s the intricate details that are posing a major challenge for companies, such as the changes in the Right to Data Portability, Right to be Forgotten and Right to Erasure.
The GDPR greatly widens the scope of issues that organisations need to consider when planning their data strategy. This Regulation is a hot topic right now for companies and service providers trading with or in the EU; albeit, some industries have been bit harder than others.
The UK’s position since this week:
On 01 Feb 2017, the UK’s Digital Economy Minister, Matt Hancock clarified the UK’s position on implementing the GDPR.
- Hancock confirmed support for the GDPR;
- The GDPR will come into effect on 25 May 2018 regardless of the current status of Brexit.
Hancock did not foresee any significant changes being made to UK data protection law once the UK exits from the EU. Hancock appreciates that it is necessary to implement the GDPR identically to other member states in order to prevent interruptions to the free flowing of data between the UK and the rest of the EU.
Hancock was unable to provide specific details on whether he would seek a Declaration of Adequacy from the European Commission. It is likely, but not confirmed, that the UK will have a Lead Regulator just like all other Member States. In this case, we expect that the ICO will act as the Lead Regulator. In this and in similar respects, the UK is expected to adopt similar etiquette to the EFTA countries, Norway, Iceland and Liechtenstein.
Regarding the US, Hancock did hint at a future data transfer framework; however, Hancock was cautious in providing further clarification probably due to the volatile landscape in the White House this week.
Summary of the indications so far:
Based on this week’s developments from the House of Lords, all indications show that the GDPR will be adopted in full by the UK. It is clear that the UK government is actively seeking to secure unhindered and interrupted data flows with the EU, thus preventing any business interruptions as far as is reasonably practical.
We strongly urge any business in the UK, or those not based in the UK but who handle the data of UK citizens, to continue their GDPR preparation plans in anticipation of the impending May 2018 deadline.
Sytorus specialise in Data Protection Consultancy. If you are busy preparing for the GDPR or simply don’t know where to start, check out our on-line Data Protection Management System https://privacyengine.io/.
We are following Brexit with great interest.
Keep in touch.