REUTERS | Henry Romero

Brexit and GDPR readiness: getting engaged before 31 January 2017

Don’t panic!  The date for compliance with the EU General Data Protection Regulation (GDPR) has not been brought forward.  But one GDPR-related deadline is approaching fast.

Following Theresa May’s speech today, announcing the UK’s trajectory towards a so-called “clean and hard” Brexit, we’d be forgiven for not seeing the value in investing heavily in any EU consultation exercise such as the one currently being conducted by the Article 29 Data Protection Working Party (WP29).  This consultation is in respect of the guidelines the WP29 has recently adopted on data portability, data protection officers and identifying lead supervisory authority (see also Practical Law Data Protection legal update).

Clearly there’s a vast torrent of water to flow under the Brexit bridge for at least the next 26 months and we can expect plenty of changes of direction and surprises from all parties along the way.  However, as we’ve reported on this blog, the UK Government has made it clear that the UK will implement the GDPR and all significant pronouncements from UK Government and the Information Commissioner’s Office (ICO) since the June vote have recognised the need for a post-Brexit UK to remain a “global leader in data protection”, for close cooperation with the EU and for a smooth transition to maintain and enhance consumer trust.

Nothing is ruled out but it would be difficult to see this position changing radically.  With the handling of big data now so intrinsic to the global economy, any successor data protection regime in the UK is, at least in the medium term, likely to be substantially based on the EU’s GDPR, not least to ensure it fulfils the European Commission’s third party data protection adequacy requirements.

GDPR compliance efforts should continue.  On that basis, understanding the WP29’s guidelines and their impact is important.  The final guidelines will go a long way to determining the application of the new data portability right, the role of the data protection officer within an organisation and the approach national data protection authorities will take to enforcement in key areas of the GDPR regime.

The guidelines on data portability, data protection officers and identifying lead supervisory authority are not yet set in stone but the consultation exercise that will determine how they finally read closes two weeks today, on 31 January 2017.

Many businesses will be alert to this but, if it’s not been on your radar until now, you can still have your say in getting the guidelines right – or as right as they can be.

The WP29 is inviting comments on the guidelines via the following email addresses:  JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr.

For further information see our EU General Data Protection Regulation toolkit.

Rob Beardmore

Leave a Reply

Your email address will not be published. Required fields are marked *