The EU General Data Protection Regulation will enter into force on 24 May 2016.
There will be a two-year implementation process so that the new law will apply in all EU Member States, including the UK from 25 May 2018. The result of the in/out referendum on 23 June, will make little difference. The Regulation is drafted to apply even to organisations based outside of the EU if they process the personal data of people who are within the EU (though how the law would be enforced is another matter).
It is good for businesses operating in the EU to have a consistent approach to data protection across the entire region. No need to check whether you are complying with the laws of each different EU country. One-size-fits-all from 25 May 2018 – theoretically. But the Regulation contains scope for individual Member States to adopt their own laws on certain topics. And some key elements are unclear.
Can the consent of the data subject to having his or her data processed be implied (as currently under the Data Protection Act 1998) or must it be explicit? How can businesses determine whether their processing of personal data is lawful because it is necessary for the purposes of their legitimate interests? When should businesses appoint a data protection officer? There are others.
The IPA has set up a small working group, headed by myself, including lawyers and data protection specialists from some of the IPA’s member agencies. I will be liaising with the Information Commissioner’s Office to try and get clarity on the more opaque provisions of the Regulation.
In the meantime, members can access some preliminary guidance which looks at the differences between some of the key laws under the DPA 1998 and the new GDPR.
Last updated 19/05/2016