Discussions with clients in recent months have revealed that there is some confusion over the General Data Protection Regulation (GDPR) and the new UK Data Protection Bill (DPB) which are both due to come into effect in May 2018. Why should organisations focus on GDPR when the UK is also bringing in its own data protection legislation at the same time?
Firstly, it is important to note that in spite of the UK government triggering Article 50 of the Lisbon Treaty stating our intent to leave the European Union, Britain will still be a Member State when GDPR comes into effect on 25th May 2018. As such, all UK organisations will need to comply with GDPR until the exit process is complete. Those organisations which hold the personal data of even one single EU citizen after the UK’s exit will continue to need to adhere to the requirements of GDPR. For these reason, GDPR compliance is the main focus for UK organisations.
The new DPB, which is due to come into effect in May 2018, is the UK’s updating of the existing data protection laws to bring them into line with the needs of today’s digital marketplace. The DPB contains all the main principles of GDPR and compliance with one will almost certainly ensure compliance with the other. The DPB also includes details of how GDPR will apply in the UK, specifically where Member States have been given some flexibility, otherwise known as derogations.
After Britain’s exit from the EU, the DPB (which will be known as the DPA 2018) will replace GDPR for organisations operating within the UK. It is, however, highly probable that the UK will continue to be able to trade with EU citizens. Because the DPB contains the essence of GDPR, it is expected that the UK will be awarded an adequacy decision from the European Commission. This would mean that data can flow freely between an EU member state and the UK while providing data subjects with the reassurance and confidence that an adequate level of data protection is in place.
Going forward, both the GDPR and DPA 2018 will apply to UK organisations depending on where they operate but a breach will be considered under the legal system of the country in which that breach occurs. In addition to the potential issues relating to Britain’s status when it comes to sharing data with EU partners post Brexit, there are the individual country’s derogations to consider so the best course of action is for companies that operate in several countries to ensure that they are compliant with each country’s data protection laws.
As this is a complex issue, it is advisable for organisations based in the UK to consult experts in data protection requirements. SRM’s GDPR team provides a business-focused service to organisations of all types and size, at all ends of the GDPR-readiness spectrum. Our GDPR consultants are trained through a GCHQ-approved qualification and are able to advise on the strategic management of GDPR compliance. While we provide unrivalled technical and compliance expertise, we also understand how businesses operate, working with clients in the DPB and GDPR compliance process with the focus on delivering robust and effective compliance, not on selling products.
For more information on our GDPR services visit our website.
To gauge your level of GDPR readiness, complete our GDPR Self Assessment Questionnaire.
For information on the testing requirements for GDPR register for our free webinar.
Or read our blog: