REUTERS | Vasily Fedosenko

Privacy and cybersecurity: Spring agenda 2019

We have had a blockbuster twelve months in privacy and cybersecurity which saw the arrivals of the General Data Protection Regulation (GDPR), Data Protection Act 2018 (DPA 2018) and the Network and Information Security Directive (NIS Directive).

As we approach the first anniversaries of those transformative pieces of regulation, the horizon is now dominated by the confusion and complexity of Brexit.

It feels like an opportune moment to kick off our quarterly agenda series on key privacy and cyber developments. This regular forward-looking piece will give in-house practitioners a heads up on key forthcoming developments to watch out for over the next quarter as well as highlighting new content.

Naturally, Brexit is at the forefront this Spring. Over the next four weeks, we may see Article 50 extended beyond 29 March. But the prospect of no deal in this short time still looms large and particular focus now will be on preparing for this, especially the real prospect of the UK being deemed an inadequate destination for EU personal data.

Practical Law’s recently published guidance in relation to Brexit includes:

The European Data Protection Board (EDPB) has also recently published an information note on data transfers under the GDPR in the event of a no-deal Brexit.

Beyond this, there are a number of developments – some driven by Brexit – but also including a number of consultations and events to be aware of over the Spring. New resources on Practical Law are featured at the bottom of this piece.

Brexit-related SIs

The statutory instrument designed to ensure the continuity of the UK legal framework for data protection continues to function on the UK’s exit from the EU, currently scheduled for 29 March. The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, originally laid before Parliament on 19 December 2018, merge the GDPR and the applied GDPR into the “UK GDPR” and amend the DPA 2018 and other legislation.

The regulations are largely designed to apply in the event there is no transition period (that is, no deal). However, the provisions amending the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) (PECR) will come into force on 29 March irrespective of whether there is a transitional period or whether the currently scheduled exit day is modified.

Meanwhile, the Electronic Identification and Trust Services for Electronic Transactions (Amendment etc.) (EU Exit) Regulations 2018, which amend provisions deriving from European Union Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions are ready to come into force for in the event of a no deal.

ICO adtech fact finding forum

Announced in its recent blog on the advertising technology (adtech) from a data protection perspective, the Information Commissioner’s Office (ICO) is holding a fact finding forum for adtech industry participants on 6 March 2019 in central London. The forum will seek to discover how organisations can have confidence and provide assurances that onward transfers of data will be secure. Those interested in attending are invited to contact

ICO “Openness by design” consultation

The ICO is consulting on a draft access to information strategy, “Openness by design”, which sets out the ICO’s priorities for the next three years in relation to its duties under the Freedom of Information Act 2000, the Environmental Information Regulations 2004 (SI 2004/3391) and the Reuse of Public Sector Information Regulations 2015 (SI 2015/1415).

The consultation closes on 8 March 2019.

EDPB consultations

The EDPB has two live consultations with imminent deadlines:

PSA consultation on retention of data

The Phone-paid Services Authority (PSA) is consulting on proposals intended to clarify its expectations as to how long providers should retain certain kinds of data. It is proposing that providers should retain all Relevant Data, including personal data for two years, starting from the point it was first collected. The consultation closes on 3 April 2019.


The National Cyber Security Centre’s CYBERUK event is due to take place in Glasgow on 24 – 25 April 2019. CYBERUK is the UK government’s flagship cyber security event and will include briefings on the evolving cyber threat and how we must respond as individuals and as a community to keep Britain safe in cyberspace.

New Practical Law content

In addition to the Brexit guidance referred to above, recently-published privacy and cybersecurity content on Practical Law includes:

Leave a Reply

Your email address will not be published. Required fields are marked *

Share this post on: