Recent announcements are strengthening the view that organisations based in the UK will need to prepare for the EU General Data Protection Regulation (GDPR).
We have of course known for some time that GDPR will take effect in the EU from 25 May 2018. Immediately following the result of the referendum on the UK’s membership of the EU, there was some doubt expressed about whether GDPR would take effect in the UK. However, it became clear early on that it was very likely to do so and we therefore recommended that UK organisations continue to prepare for it. Please see The implications of Brexit for the GDPR.
Recent announcements have now strengthened our view. First, Prime Minister Theresa May has said that the starting gun on Article 50 will be fired by the end of March 2017. With negotiations expected to then last the full two year period, this will take us to March 2019, nearly one year after GDPR takes effect. Second, the Prime Minister has also proposed a “Great Repeal Bill” which will repeal the European Communities Act 1972 and convert EU law into UK national law on the day the UK leaves the EU. Following this, the idea is that the UK will undertake a process of picking and choosing which EU laws to keep, amend or repeal. The likely effect of this is that the GDPR will become, and is quite likely to remain, UK domestic legislation. Finally, in her first speech as the UK’s new Information Commissioner, Elizabeth Denham also made clear that the UK had given considerable input into the development of the GDPR, and her expectation was that the UK will have equivalent standards, saying "I don't think Brexit should mean Brexit when it comes to standards of data protection".
UK based organisations are therefore best advised to continue with their GDPR compliance programmes.