06 December 2016

Now that we seem to have confirmation from the Government that the GDPR will come into force in the UK on 25 May 2018, it is time to provide you with more information.

The GDPR will have direct effect in the UK

Secretary of State Karen Bradley MP appeared before the Culture, Media and Sports Select Committee on 24 October 2016 and in response to a question stated:

We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.

It is anticipated that a fuller and more formal statement will be issued by DCMS in due course.

The outcome of the vote on 24 June 2016 provided data protection practitioners with some level of doubt about what was going to happen with Regulation 2016/679. We all thought it was likely to come into force but it is good to have confirmation of that. There was also a slightly odd situation where the ICO indicated straight away that the vote to leave the EU would not impact on the need to comply with the GDPR. However this statement was subsequently removed and replaced with a statement which said that the ICO would be discussing the implications of the referendum result and its impact on data protection reform in the UK with the Government over the coming weeks. This was apparently in response to a request from the Department for Culture, Media and Sport, the government department responsible for Data Protection who were concerned at the definitive approach that the ICO was taking. Thanks to Jon Baines and Tim Turner for drawing out attention to that.

However it now seems clear that come 25 May 2018 the GDPR will come into direct effect in the UK.

So where are we with Guidance.

I attended the ICO’s Scottish Conference in June – just prior to the referendum. There was some useful guidance provided at that event and the ICO has provided some additional information on its website. There is now an Overview to the GDPR which sets out some more detail about the key issues in the Regulation.

Of note:

The ICO also issued Updated Guidance on Privacy Notices which has a section identifying the changes coming with the GDPR. These changes are substantial and will impact significantly on data controllers. Currently there is only an obligation to provide the name of the data controller, the purpose or purposes of any processing and enough information to ensure that processing is fair. 

There is an obligation under the GDPR for privacy notices to be in a “concise, transparent, intelligible, and easily accessible form, using clear and plain language” BUT there is also an obligation to provide more information than currently required. At the ICO’s Scottish Conference, the ICO’s advice was they thought that the information required to be provided in terms of transparency by Article 13 GDPR could be split into two categories, with the information required by subsection (1) being more important than the information required by subsection (2). Therefore the less important information could be provided elsewhere i.e. by providing a link to a webpage.

Therefore I have split the categories of information required into two columns below.

It is of significance that the data controller is required to state and therefore think about the legal basis for any processing that is taking place.  In addition, if relying on the legitimate interests condition (which of course public sector bodies cannot do) then they must state the legitimate interest pursued.  I suggest that even the exercise of thinking about these issues will improve practice and understanding of data processing going forward. 

For more info visit our GDPR updates page.