General Data Protection Regulation (GDPR) – what you need to know
Matt Jackson of our Commercial team comments on the General Data Protection Regulations
There’s no doubt that almost all of us are aware of the laws regarding the collection and use of personal data, the Data Protection Act 1998. There’s also no doubt that most of us have heard, through a variety of sources, that the laws surrounding personal data, its collection, storage and use are due to change quite significantly in the future. The reason for the change: the General Data Protection Regulation, a piece of EU law that is due to come into force at some point between now and May 2018.
For those of you so inclined, the full text of the regulation (all 88 pages of it) can be read here.
Over the coming weeks and months I will be writing regularly about the GDPR, its effect on business in the UK, the changes to the current data protection regime that will happen due to GDPR, and what businesses need to do to become compliant by the time the regulations become law in the UK. The changes are sufficiently wide reaching that one article trying to cover it all would be just too long to write!
This article will briefly touch upon the background to the GDPR and will, so far as we can, answer one of our most commonly asked questions regarding GDPR – will the UK have to implement the law due to Brexit?
Background to GDPR
Whilst the laws surrounding data protection have been tweaked over the years, it has become clear that the current regime is not fit for purpose. The Data Protection Act was passed in 1998 and the EU Data Protection Directive was passed in 1995. Bearing in mind that in 1995, the internet as we know it now was very much in its infancy (this was the year AOL first offered consumer access to the internet), the Spice Girls had only existed for 1 year, James Bond was rebooted in Goldeneye and the Nokia 3310 was still 5 years away, it is clear that the laws did not contemplate how the world operates now.
And therein lies the problem. The Data Protection Act, whilst referencing computer systems, was really written for a world of paper files, filing cabinets and letters. It was never contemplated that data could be transferred all over the world in milliseconds and stored, accessed and used in multiple locations, by multiple people, instantaneously.
In light of this clear obsolescence of the Data Protection Directive, the EU sought to modernise data protection laws to bring them in line with the world as it is today and, hopefully, future proof them for advances in technology. From this GDPR was born and will be law throughout the EU on 25 May 2018.
What does this matter? The UK is due to leave the EU within the next 2 years, so why are we worried about this piece of EU law?
There are two reasons why this really matters.
The first is that, as a European Union regulation, GDPR automatically becomes law in every EU country after a 2 year period. That 2 year period expires on 25 May 2018 which is a good 9 plus months before the UK’s 2 year Article 50 period will expire. This means that GDPR will be enforceable in the UK in May 2018, whether we like it or not.
Secondly, and perhaps more importantly, even after Brexit the UK will still need to trade with many, if not all, EU countries. Given that the UK is a services powerhouse much of this trade will involve the transfer of personal data throughout the EU and further afield. Whilst the UK will be free to set its own data protection agenda, if our laws are less stringent than those under GDPR then companies trading in the EU will no longer be able to pass personal data into and through UK companies without negotiating specific contracts that deal with this. In short, it’s in the UK’s best interests to have data protection laws that mirror GDPR. The aim, hopefully, will be to then agree a treaty with the EU (similar to the Safe Harbor regime that used to exist with the US) that allows EU companies to pass data to UK companies without the need for the added bureaucracy of specific contracts. This will only happen if the UK implements its own version of GDPR into UK law.
In my next article on GDPR I will start outlining the key differences between GDPR and the Data Protection Act 1998. I will also look at what businesses need to start thinking about, and doing now to ensure they are ready for this big change in law.
Want to discuss this with us?
If you want to discuss GDPR and data protection and how it applies to you and your business, please do call Matt Jackson, Associate in the Corporate and Commercial Team, on 0121 296 3837, or email him at firstname.lastname@example.org and he’ll be only too happy to help.