The Information Commissioner’s Office (ICO) in the United Kingdom has issued a warning to companies to remind them that they must adhere to existing data protection legislation as the State completes its transition from being a European Union Member State to a fully independent country.
It is envisaged that the period of transition will come to a close by the final day of December 2020 and it is expected that the European Union’s General Data Protection Regulation (GDPR) will be copied into UK legislation as ‘UK GDPR’.
The ICO has commented that: “The GDPR is an EU Regulation and, in principle, it will no longer apply to the UK from the end of the transition period. However, if you operate inside the UK, you will need to comply with UK data protection law. The government intends to incorporate the GDPR into UK data protection law from the end of the transition period – so in practice there will be little change to the core data protection principles, rights and obligations found in the GDPR.”
It is crucial to recognise that, whatever data privacy laws are passed in the UK, if a UK-based business or organisation is dealing with or managing the private data of UK based clients then it must still comply with EU GDPR in the same way that any business based outside of the EU would be obligated to. Due to this, it is of the utmost importance to make sure that UK-based entities remain compliant with the EU GDPR. The early indications are that the obligations and requirements will be practically identical in both sets of legislation.
ICO remarked: “It is not yet known what the data protection landscape will look like at the end of the transition period and we recognise that businesses and organisations will have concerns about the flow of personal data in future. We will continue to monitor the situation and update our external guidance accordingly. ”
However, ICO has also made reference to the fact that there will be no requirement to appoint an European Economic Area (EEA) representative during the transition period, although this may well be a requirement in the immediate aftermath of the transition period finishing.
An ICO spokesperson said: “During the transition period you do not need to appoint a representative in the EEA. However, you may need to appoint a representative from the end of the transition period if you are offering goods or services to individuals in the EEA or monitoring the behavior of individuals in the EEA.”
One position that will definitely not be the same once the transition period comes to a close is that ICO will no longer be reviewing compliance with European Union data privacy legislation. Instead it will only be focused on making sure that the UK data privacy legislation is being complied with. The FAQ page on the ICO website was edited to say that: “ICO will not be the regulator for any European-specific activities caught by the EU version of the GDPR, although we hope to continue working closely with European supervisory authorities.”
It will remain important for UK-based firms to see to it that they remain compliant with GDPR if they are managing the private data of those in the EU and they must also ensure that they are adhering with the new UK data privacy legislation.