On 25 May 2018 the General Data Protection Regulation ("the GDPR") takes effect in every member state of the European Union including the United Kingdom. The position has been complicated in this country by last year's referendum on EU membership which means that the Regulation will cease to apply to the UK on the 29 March 2019 when we leave the EU unless there is evidence of a sufficient change of heart on the part of the public to persuade the government to change tack.
A fair size industry of consultants, publishers and conference organizers has grown up to prepare businesses for the introduction of this legislation. As Elizabeth Denham, our Information Commissioner has pointed out in GDPR – sorting the fact from the fiction 9 Aug 2017, there have been a lot of scare stories about the GDPR and not a little misinformation. There will be some changes as a result of the GDPR. Data subjects will get new rights on 25 May 2018 and there will be increased sanctions for non-compliance. Those changes, however, are evolutionary rather than revolutionary. It should not be too difficult to prepare for them or to manage them.
Because it is a regulation rather than a directive, the GDPR does not require any implementing legislation. However, there will be a new data protection statute for the United Kingdom for three reasons. The first is to transpose the Data Protection Law Enforcement Directive into the laws of the United Kingdom. The second is to confer rights on data subjects that are not provided by the GDPR such as the right to require social media platforms to delete information held on them at age 18. The third reason for the new Act is to preserve the provisions of the GDPR after Brexit day as I noted in
What will happen to the GDPR in the United Kingdom after Brexit? 10 Aug 2017 NIPC Brexit.
Like the Data Protection Directive which it replaces, the policy of the GDPR is to give effect to the Council of Europe Data Protection Convention and the OECD Guidelines on Transborder Data Flow having regard to changing technology and applying the experience of the operation of the Data Protection Directive. As before, the objectives are to facilitate transborder data flow while protecting the privacy and other interests of individuals
The Data Protection Law Enforcement Directive is new. It seeks to harmonize the use of information technology by law enforcement agencies throughout the member states. However, that legislation also traces its wellspring the Council of Europe's Data Protection Convention which itself applies the European Convention on Human Rights to data processing. Art 63 (1) of the Law Enforcement Directive requires member states to transpose it into national law by 6 May 2018.
Over the next few weeks I shall write about various aspects of the Law Enforcement Directive and the GDRP as the 6 and 25 May 2018 draw closer. I shall also write about the Data Protection Bill as it makes its way through Parliament. I have started with a glossary as the terminology used in the GDPR is different from that of the Data Protection Directive. In that endeavour, I hope to remove some of the hot air and panic about the new legislation.
Should anyone wish to discuss this article or data protection generally, he or she should call me on +44 (0)20 7404 5252 during office hours or send me a message through my contact form.