Public Services

To Brexit and beyond: facing up to the GDPR adoption challenge

Neil Merrett Published 25 May 2017

From a year today, GDPR will be the law of the land, with any consideration to move away from the EU data regulation is not expected during the next parliament


A future UK government may look to enact its own regulations around data protection after leaving the EU, yet one data protection expert warns it will be unlikely during the lifetime of the next parliament and be hugely dependent on future trade arrangements.

Peter Wright, managing director for DigitalLawUK and chair of the Law Society Technology and Law Reference Group, said that with the European General Data Protection Regulation (GDPR) set to become part of UK law a year today, the new legislation is expected to remain a key consideration for private and public sector for a number of years to come.

UK data regulator the Information Commissioner's Office (ICO) has stressed that GDPR will introduce important changes to data management, serving as an evolution of existing practices and requirements.

As with other EU member states, UK public and private sector organisations must ensure their operations and management structures are prepared by 2018 for GDPR. This will include having data protection officers in place, if they are not already, while also meeting mandatory requirements to report breaches of systems and information within a 72 hour time period.

Yet challenges still remain with meeting these goals. This includes ensuring key public service providers and other organisations are sufficiently trained and have correct staffing to meet these challenges, as well as understanding how their obligations may be impacted once the UK is a non EU-member state.

With the UK due to formally end its membership of the European Union in 2019, the legislation is expected to be carried over into UK law via the proposed Grand Repeal bill.


However, in their latest General Election manifesto, the Conservative Party has made a broad pledge to bring forward a new protection law "to ensure the very best standards for the safe, flexible and dynamic use of data and enshrining our global leadership in the ethical and proportionate regulation of data."

With the General Election campaign largely suspended this week following a terrorist attack in Manchester, the party has not yet clarified whether these commitments relate to implementing GDPR, or potentially setting out new standards and obligations post-Brexit.

"We will take up leadership in a new arena, where concern is shared around the world: we will be the global leader in the regulation of the use of personal data and the internet," said the Conservative manifesto.

From his own experiences working with organisations trying to prepare for the incoming GDPR, Peter Wright argued that a significant challenge for government going forward will be the likely need to gain a compliance arrangement or partnership on data exchanges with the EU.

Citing the ongoing challenges facing US authorities in reaching a 'privacy shield' arrangement with the bloc, which is already facing legal challenges on both sides of the Atlantic that may require further reforms, Wright said that failure to reach such an agreement may have huge impacts on trade.

"To be honest, this may be a decision that is out of the government's hand and instead a consideration for industry and business itself," he argued.

Wright said that any eventual trade deal reached with the EU will likely require specific compliance from across the public and private sectors with regard to holding and processing information at a UK level.

"Whether the UK reaches some sort of a deal with the EU, or seeks to move to World Trade Organisation (WTO) terms, who knows what we are going to get out of this," he said.

Even for a number of public and private organisations that may not hold data on EU nationals or provide services to the continent, the UK government could find itself pursuing ongoing national compliance to ensure alignment with pan-European standards.

With a broad number of questions facing the next government around the UK's status as a trade partner and digital economy - decisions which may sometimes be out of Whitehall's control - Wright argued that it was unlikely that we would see new data legislation that takes a different path to GDPR in the upcoming five year parliamentary term.

Challenges ahead

However, in the current environment, Wright saw two major challenges ahead in ensuring widespread GDPR compliance in just a year's time. Firstly, he spoke of the potential uncertainty about the need to comply with EU legislation following the Brexit referendum and communicating the urgency for change to all data handlers.

Wright said that while organisations had for some time been preparing themselves to meet the requirements of GDPR, the outcome of the EU referendum had potentially led to some confusion over whether the requirements would still need to be met.

A second challenge was identified around existing training focuses for helping organisations meet their legal requirements.

Wright argued that these focuses were mainly concentrated around consent, with more limited consideration given to practical challenges that will face organisations around mandatory breach reporting.

With GDPR becoming the law of the land exactly a year to this day, Wright said it was important compliance was not being viewed solely as a concern for IT departments or technology providers. He argued that while it was important to listen to technologists on compliance, responsibility for planning was needed in all senior management and HR departments.

World changing?

Also addressing the challenges ahead for authorities that have just a year to meet GDPR requirements, ICO deputy commissioner Rob Luke said the regulation was a response to the changing importance and significance of data in society.

"It is not GDPR which is pushing data protection up the public, political and media agenda," he said in a speech delivered to industry association techUK.

"It is the changing nature of the world in which we live, and the ubiquity of data, which is causing society to reflect on the consequences for our personal information and for privacy itself."

Luke said that the legislation was required as a result of the increased quantity and use of data afforded by a number of evolving technologies, but did not wish to touch upon possible post-Brexit arrangements or data protection frameworks.

Over the next twelve months, Luke said that there were a number of challenges to be addressed by private and public sector service providers, such as the higher volume of work required through revised breach notification requirements.

The ICO will also be considering how it is able to work with companies more closely with regards to ensuring a "privacy by design" ethos in their solutions, as well as detailing good practice and providing exemplars to support wider transformation work.

"GDPR explicitly foresees wider use of tools such as codes of conduct and certification schemes, which potentially have an important role to play," he said.

The ICO is also committed to a new Technology Strategy with the aim of setting out new ways of coping with rapid changes in technology and their impact on information management.


Post a comment

Comments may be moderated for spam, obscenities or defamation.

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.