Welcome to the June Global Data & Privacy Update. This update is dedicated to covering the latest legislative developments affecting the way data is managed and protected, as well as reporting on the most recent news governing data breaches and industry developments.
The implications of Brexit on data protection
The EU referendum is being held on Thursday 23 June 2016 and a vote to leave may have far reaching implications on data protection laws. The General Data Protection Regulation (GDPR) will enter into force on 25 May 2018 and a vote to leave will mean that the UK will no longer be required to implement the new laws into its legal framework. The GDPR will, however, automatically apply to many UK organisations that offer goods or services to EU residents or monitor the behaviour of EU residents.
A vote to leave will trigger a two-year negotiation period that will determine the UK's onward relationship with the EU. As such, data protection law in the UK will be in a state of flux for a period of time providing uncertainty to UK organisations.
Two potential scenarios in the event of a vote to leave are as follows:
UK leaves the EU and remains part of European Economic Area - the GDPR will still apply. This is because the four freedoms of Europe (the free movement of goods, capital, services and people) are incorporated into the European Economic Area agreement. UK leaves the EU and there is no free trade agreement - the GDPR will not form part of the legal framework in the UK. The current Data Protection Act 1998 will remain in place until such time that the UK amends its legal framework. In practice, however, the UK is likely to amend its current laws to a regime similar to the GDPR to ensure that business can continue between the UK and EU. In any event, the ICO has issued a statement that "the UK will continue to need clear and effective data protection laws, whether or not the country remains part of the EU".
ICO guidance on GDPR expected in next 6 months
The ICO has set out its approach to producing guidance for the GDPR. Three priority areas have been identified (ICO guidance, European level guidance and policy outputs) and the ICO plans to produce guidance over three phases.
Here's what to expect from the ICO:
Phase 1 - in the next 6 months, the ICO will focus on producing guidance on the key differences in the GDPR to assist organisations prepare for the change in law. Topics include individuals' rights, consent and privacy...