The Queen’s Speech yesterday shed further light on how the General Data Protection Regulation (GDPR) will be implemented in the UK. The speech confirmed that the UK would implement the GDPR as well as the new European Directive on processing by law enforcement agencies by way of a new law, which will replace the existing Data Protection Act 1998.
The aim of the new legislation is to help the UK to satisfy its obligations whilst it remains an EU member state (it is likely to still be a member state when the GDPR starts to apply in May 2018) and put the UK in a position to continue to share personal data with the EU and internationally post-Brexit.
This announcement comes as no surprise, as the government had previously indicated that the UK would implement the GDPR in order to maintain unhindered and uninterrupted data flows between the UK and the EU post-Brexit, particularly if the UK leaves the EEA. This is because the current legislative regime generally prohibits (and the GDPR will similarly prohibit) transfers of personal data outside the EEA other than to countries whose laws are considered “adequate” to protect the rights and freedoms of individuals, unless safeguards are put in place. If UK laws are not considered adequate, this could make it more difficult for EU organisations to share personal data with UK organisations post-Brexit.
The main elements of the new law are to:
- strengthen rights and empower individuals to have more control over their personal data, including a right to be forgotten when individuals no longer want their data to be processed, provided that there are no legitimate grounds for retaining it.
- modernise and update the regime for data processing by law enforcement agencies. The regime will cover both domestic processing and cross-border transfers of personal data; and
- update the powers and sanctions available to the Information Commissioner.