UK: ICO guidance confirms "GDPR firmly on Brexit agenda"

25 July 2016

The UK Information Commissioner's Office ('ICO') published, on 7 July 2016, an overview guidance of the General Data Protection Regulation ('GDPR') ('the Guidance'). The Guidance highlights similarities and differences between the GDPR and the current Data Protection Act 1998 ('the Act'), focusing on a number of topics including the legal basis for the processing, individuals' rights, data protection impact assessments and data breach notification.

Sophie Kemp, Partner at Kingsley Napley LLP, told DataGuidance, "UK's withdrawal from the EU ('Brexit') is unlikely to be complete by May 2018, meaning the GDPR would come into force in the UK with immediate application. Should this happen, we will be left to see if the GDPR can settle in the post Brexit legal landscape or whether it will be blown away by an adverse political wind. The Guidance is a clear signal to government that it needs to keep the GDPR firmly on its Brexit agenda."

The introduction to the Guidance highlights that, when the ICO started drafting the same, the GDPR 'was on track to come into force in the UK,' and, despite the result of the EU membership referendum, it believes that the Guidance will still be useful.

Regarding post-Brexit possible outcomes, Mirena Taskova, Senior Associate at Taylor Wessing LLP, noted, "I believe that the UK will strive to harmonise its data protection regulations with the GDPR in order to facilitate cross-border transfers of data. On the other hand, I would not be surprised if the UK also introduced certain business-friendly aspects, which may position the UK as an attractive destination in terms of data protection."

The territorial scope of application of the GDPR, set out in Article 3, includes processing operations carried out by controllers and processors not established in the EU with regards to personal data of data subjects in the EU, where they relate to the offering of goods and services, or the monitoring of their behaviour taking place in the Union.

Kemp continued, "One enduring certainty is that the GDPR will continue to apply to all UK organisations handling the personal data of EU citizens, regardless of the location of the organisation itself. This is likely to have a strong bearing on whether the GDPR is retained in the UK. The ICO will be keen for it to be known that if the GDPR is not kept, the UK Government will be quickly pressed into adopting measures which ensure an adequate level of protection to EU citizens' data rights, both by EU authorities and by companies wishing to avoid entering into individual European Commission approved data sharing contracts. The recent EU-U.S. Privacy Shield agreement required two years of negotiation, and doubts still remain about the scheme's legality."

Among other aspects, the Guidance outlines the importance of determining the legal basis for the processing of personal data and documenting the same, highlighting, 'This becomes more of an issue under the GDPR because your legal basis for processing has an effect on individuals' rights. For example, if you rely on someone's consent to process their data, they will generally have stronger rights, for example to have their data deleted.'

"The clarifications around the rights of the individuals are particularly helpful," commented Taskova. "The ICO is renowned throughout Europe for its proactive and efficient approach in providing solutions to controversial data protection matters via its guidance notes written in an easily accessible language. It's not surprising that businesses rely on these all over Europe. This Guidance is not an exception."

The ICO affirmed that the Guidance was meant to be just the first substantive part of a broader set of guidance on the GDPR.

"In due course, more practical recommendations, tables and visuals would be helpful - particularly highlighting the differences between the Act and the GDPR," observed Kate Brimsted, Partner at Reed Smith LLP. "However, this is billed as the forerunner of more detailed guidance, both from the ICO and also from the Article 29 Working Party, so we can expect further, deeper guidance in the future." 

If you would like to discuss this in further contact Sophie Kemp or view our Data Protection pages here. 

This article by Cristina Ulessi, Privacy Analyst including Sophie Kemp's views, first appeared as an article in DataGuidance which you can view online here. This article has been reproduced with permission from the copyright owner and must not be further reproduced without permission of the copyright owner or the Copyright Licensing Agency.

Share insightLinkedIn Twitter Facebook Email to a friend Print

Email this page to a friend

We welcome views and opinions about the issues raised in this blog. Should you require specific advice in relation to personal circumstances, please use the form on the contact page.

Leave a comment

You may also be interested in:

Skip to content Home About Us Insights Services Contact Accessibility