The Information Commissioner’s Office (ICO), the data protection authority in the United Kingdom, has released an official warning for businesses to make sure that they continue to comply with all current data protection legislation during the moves away from the European Union.
By the end this December (2020) the transition period should come end to a close, as planned and it is believed that the European Union’s General Data Protection Regulation (GDPR) will be incorporate into UK data privacy legislation as a ‘UK GDPR’.
The ICO statement said: “The GDPR is an EU Regulation and, in principle, it will no longer apply to the UK from the end of the transition period. However, if you operate inside the UK, you will need to comply with UK data protection law. The government intends to incorporate the GDPR into UK data protection law from the end of the transition period – so in practice there will be little change to the core data protection principles, rights and obligations found in the GDPR.”
At this time it is crucial that, whatever future legislation is enacted in the UK to manage the security of data, if a UK-based business or organisation is handling private data pertaining to UK-based clients then they will still be subject the to EU GDPR in the same way that any company based externally to the EU would be. As a result it is of the utmost importance to see to it hat UK-based entities remain 100% compliant with the existing EU GDPR. As of the year all indications are that the obligations and stipulations of the UK-style GDPR will be practically identical in both sets of legislation.
ICO’s statement said that “it is not yet known what the data protection landscape will look like at the end of the transition period and we recognise that businesses and organisations will have concerns about the flow of personal data in future. We will continue to monitor the situation and update our external guidance accordingly. During the transition period you do not need to appoint a representative in the EEA. However, you may need to appoint a representative from the end of the transition period if you are offering goods or services to individuals in the EEA or monitoring the behavior of individuals in the EEA.”
One position that will definitely be different when the transition period ends is that ICO will no longer be as a a police office for the European Union to ensure that EU GDPR is being complied with. The FAQ section of ICO has been update to state: “ICO will not be the regulator for any European-specific activities caught by the EU version of the GDPR, although we hope to continue working closely with European supervisory authorities.”