This is the first post in a three-part series.
May 25, 2018. If you are a company that comes into contact with European data, whether you are operating in Europe or elsewhere, and you have not taken note of this date yet, you should. That is when Europe’s new data protection framework – the General Data Protection Regulation (GDPR) – will enter into force, replacing Data Protection Directive 95/46/EC (the “Directive”).
Following this summer’s vote to leave the European Union, the wider implications of Britain’s decision to break from the EU continue to be felt as governments, businesses, and private citizens look to forthcoming negotiations. Unfortunately, it appears that definitive answers to the questions raised by the vote may not be forthcoming for some time following Theresa May’s October 2 announcement that she plans to trigger Article 50, setting in motion negotiations regarding Britain’s departure, by March 2017. One area up for consideration will likely be the issue of data privacy and whether UK will create its own privacy rules or follow the lead of the EU in implementing the General Data Privacy Regulation (GDPR). Generally speaking this law, slated to take effect in May of 2018, will limit the amount of and type of data on EU citizens which may be gathered and shared. Interestingly however, May’s announcement comes just days after the newly appointed head of the Information Commissioner’s Office (ICO), Elizabeth Denham, stated that Britain should follow the GDPR regime. During an interview with the BBC, Denham made her sentiments clear, stating “I don’t think Brexit should mean Brexit when it comes to standards of data protection…In order for British businesses to share information and provide services for EU consumers, the law has to be equivalent.”