The General Data Protection Regulation ('GDPR') will be coming into force across the European Union on 25 May 2018. The aim of the GDPR is to ensure that the fundamental right to protect personal data will be guaranteed across the EU. The GDPR places more stringent obligations on those processing personal data and also imposes greater enforcement powers that are contained in the Data Protection Act 1998 ('DPA').
The GDPR will automatically become law in each EU Member State without the need for domestic legislation to implement it. It appears likely that the UK will still be a Member State of the EU on 25 May 2018 and therefore the GDPR will apply in the UK until the country formally leaves the EU. Whilst it is in force in the UK, the GDPR will supersede the DPA and render it largely redundant. Depending on how the exit negotiations between the UK and EU progress, the GDPR may be in force in the UK for a few weeks, a few months or a few years.
We do not yet know what data protection law will apply at the point the UK leaves the EU. Between now and then, the UK Parliament will need to decide whether to keep the DPA in its existing form, introduce new legislation which provides the same level of data protection as the GDPR or depart from the EU's approach to data protection entirely. On the topic of legislative reform, the Information Commissioner's Office has written:
“Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary.”
Whilst the long term future of data protection in the UK is unknown, it does appear likely that the GDPR will apply in the UK from 25 May 2018. We shall be providing updates and seminars concerning the impact of the GDPR and the evolving future of data protection in the UK during the coming months.