Data Protection and Brexit – UK Timeline of Developments
The Information Commissioner’s Office (ICO) has published a series of steps regarding compliance with the GDPR. This has included guidance on GDPR preparation; priorities on GDPR and; an overview of GDPR.
On 29 September, Elizabeth Denham delivered her first speech as the UK Information Commissioner, stating:
“It is extremely likely that GDPR will be live before the UK leaves the European Union. Remember that the GDPR is actually already in force, it is just that Member States are not obligated to apply it until 25 May 2018.”
“[N]o matter what the future legal relationship between the UK and Europe, personal information will need to flow. It is fundamental to the digital economy. In a global economy we need consistency of law and standards – the GDPR is a strong law, and once we are out of Europe, we will still need to be deemed adequate or essentially equivalent.”
On 7 October 2016, the ICO published a new code of practice on privacy notices. This guidance is the first piece of ICO guidance that advises on the Data Protection Act and the GDPR. The code includes advice on what to include in a privacy notice, where to deliver privacy information to individuals and when to actively communicate privacy information.
On 24 October 2016, Karen Bradley, Secretary of State for Culture, Media and Sport, said:
“We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.”
On 31 October, Elizabeth Denham in her blog post, welcomed the news that the UK government had confirmed that it will be implementing the GDPR and confirmed that within the next 6 months the ICO will publish a revised timeline setting out what areas of guidance it will be prioritising. She also acknowledged that while there may be questions about how the GDPR will work on the UK leaving the EU, this should not distract from the important task of compliance with the GDPR by 2018.