General Data Protection Regulation
Pub Date
Employment Law
Information Commissioner's Office

The General Data Protection Regulation (GDPR), which replaces the current EU Data Protection Directive, is due to come into force in the UK on 25 May 2018 and it introduces the most wide-ranging changes to data protection laws for 20 years. As the GDPR is a Regulation and not a Directive, it will be directly applicable in the UK from that date without the need for additional national legislation and this will be at a time when it seems likely that the UK will still be a member of the EU. Therefore, Brexit should have little, if any, impact on GDPR compliance planning for organisations.

The Information Commissioner’s Office (ICO) has now published an Overview of the GDPR for organisations, which highlights the key themes of the GDPR to help organisations understand the new legal framework in the EU. It explains the similarities with the existing Data Protection Act 1998 (DPA), and describes some of the new and different requirements.

Even after the UK has left the EU, the GDPR will still be relevant for organisations in the UK that operate internationally within the EU. In addition, if the terms of the UK’s withdrawal result in the UK remaining in the EEA, it is likely that the UK would be required to continue to comply with the GDPR. Even if the UK is outside the EEA, it is likely that compliance with GDPR principles will be required in any event in order for data to continue to be transferred from other EU countries to the UK, so the UK will probably need to implement either the GDPR itself, or something very similar to it, into national law.