In her evidence to the Culture, Media and Sport Select Committee on 24 October, Secretary of State for the Department of Culture, Media and Sport (“DCMS”) Karen Bradley MP called out the EU General Data Protection Regulation (“GDPR”) as an example of EU law that the government would opt into. At the same time, the minister observed that there could be opportunities post-Brexit for UK law to develop to help British businesses by finding new approaches to the “burdensome” aspects found in some EU laws, while maintaining adequacy and making sure British businesses can still work with the EU.
The minister confirmed that coordination between the DCMS and the Department for Exiting the European Union (“DExEU”) has been underway for a number of months. In particular, Ms Bradley stated in relation to the GDPR’s implementation:
“We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.” The minister also commented:
“That is where I see the opportunities, because I think that there are some [EU legal measures] that have been burdensome to British business and that we could find new approaches [to], but we have to obviously maintain competitiveness within the EU. We need to maintain adequacy to make sure that British business can work with the EU, and we are looking for those opportunities to get it right.”
The Information Commissioner was quick to welcome the government’s public confirmation that the UK will implement the GDPR as “good news for the UK”, noting that public confidence in the protection of information is an essential component for the successful growth of the UK digital economy, which is growing year upon year (see DCMS’ Digital Sector Economic Estimates 2016).
The Information Commissioner, Elizabeth Denham, was quick to welcome that there is still some uncertainty as to how the GDPR will work in the UK upon the UK’s departure from the EU, but stresses that preparing for compliance with the GDPR in time to meet its May 2018 commencement should outweigh any concerns about post-Brexit changes (should there be any).
The ICO has published guidance for businesses working toward GDPR compliance, including the ICO’s Overview of the GDPR and Preparing for the GDPR: 12 Steps guidance. Further guidance is expected over the next six months.