Information Commissioner's Office warns that UK Data Protection Act will have to be close to EU regulation to ensure post-Brexit access to Single Market
Organisations should still be ready to comply with the EU’s forthcoming General Data Protection Regulation (GDPR), despite the vote to leave the union, the Information Commissioner’s Office (ICO) has warned.
It has published a statement making clear that, while the Data Protection Act (DPA) is the law of the land, the relevant standards would still have to be equivalent to those of the European regulation, which is due to come into effect in 2018.
A spokesperson said: “If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the Single Market on equal terms we would have to prove 'adequacy' - in other words UK data protection standards would have to be equivalent to the EU's General Data Protection Regulation framework starting in 2018.
“With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens. The ICO’s role has always involved working closely with regulators in other countries, and that would continue to be the case.”
A draft of the GDPR was passed by the European Parliament in January and is expected to be signed off over summer. Much of it reflects the existing demands of the DPA, but there are new elements such as the ‘right to be forgotten’ requests that will have to be addressed.
Public sector IT association Socitm has previously said that public authorities will have to be deal with these, that they could develop more complex compliance needs, and that they should review their information governance on dealing with personal information.
The ICO has issued guidance for all organisations, including 12 steps including looking at the legal basis for processing personal data, updating procedures on subject access requests, reviewing consent mechanisms and designating data protection officers.
Image modified from MPD01605, CC BY-SA 2.0 through flickr