Britain will adopt GDPR, says ICO chief


Elizabeth Denham, the new UK Information Commissioner, has said that it’s “extremely likely” General Data Protection Regulation (GDPR) will come into effect before Britain leaves the European Union.

In her first speech since taking on the role, Denham said: “It is extremely likely that GDPR will be live before the UK leaves the European Union. Remember that it is actually already in force, it is just that Member States are not obligated to apply it until 25 May 2018.”

Denham did however say that Brexit had complicated the mater and the way the UK carries out data protection legislation.

“The Referendum result has thrown our data protection plans into a state of flux,” she said. “What hasn’t changed are the strong data protection rules the UK already has. We need those rules to ensure cross-border commerce, not to mention the privacy protections citizens and consumers expect,” Denham added.

Organisations and public bodies that do business with EU organisations are likely to have to comply to GDPR regulations.

“The fact is, no matter what the future legal relationship between the UK and Europe, personal information will need to flow. It is fundamental to the digital economy. In a global economy we need consistency of law and standards – the GDPR is a strong law, and once we are out of Europe, we will still need to be deemed adequate or essentially equivalent,” she explained.

“For those of you who are not lawyers out there, this means there would be a legal basis for data to flow between Europe and the UK.”


Opportunity for government

“The future of the law is an opportunity for government too,” continued Denham. “Being ‘open for business’ means more than just saying you are. It means having a digital economy, being digitally enabled. And data protection is central to that. This is nothing the government doesn’t already know.

“When the UK leaves the EU (based on what we know today – 2019 or later) a new data protection law will need to be in force.

“I’m having active discussions with Ministers and senior officials in government, and have transmitted our view on the future of data protection law. We believe that future data protection legislation, post Brexit, should be developed on an evolutionary basis, to provide a degree of stability and clear regulatory messages for data controllers and the public.

“The aim here is not a data protection regime that appeals because it is overly lax or “flexible”. The aim is a progressive regulatory regime that stands up to scrutiny, that doesn’t leave the UK open to having rocks thrown at it by other regimes. And that has consistency and adequacy with the Europe.

“Regulators generally don’t lobby, and ultimately we work with the law government give us. But when the conversation is about the future of data protection in the UK, the ICO is determined to be part of that conversation. We have thirty years’ experience as a regulator in a changing environment. We don’t want to talk legislative minutiae, but to look at the key principles that should underpin the future of privacy law in the UK.”

Related reading