An ongoing culture of UK GDPR compliance

It takes a mind shift to realise that it could soon be the UK’s Secretary of State rather than the European Commission deciding on the status of other countries’ adequacy. We have seen that the UK government has been energetically preparing for a no-deal Brexit so, for example, Argentina has declared the UK to have an adequate framework of data protection law. We will look to see whether other jurisdictions declared to be “adequate” by the EU will follow this path.

Some sectors are better prepared than others. Anecdotal evidence is that the highly regulated financial services sector is better prepared than most, as it has teams of people dealing with compliance issues, not only with the ICO but also the Financial Conduct Authority.

For all sectors, it is vital to remember that the regulatory scene in the UK will continue along familiar lines, as the government has made it clear that as far as data protection law is concerned, the UK will maintain regulatory alignment with the European Union. Although the flow of personal data from the UK to the European Economic Area will continue as now, one cannot make this assumption about the legal flow of personal data from the EEA to the UK.

If the split between the UK and the EEA is acrimonious, the EU may take considerable time to declare the UK “adequate,” as political factors will inevitably play their part (p.11).

Of course, it is wise to prepare for a no-deal Brexit (pp. 9, 10, 16). Whatever happens, you will need an ongoing culture of UK GDPR compliance (p.12). You will have to continue in the spirit of Business as Usual, for example:

  • mapping your organisation’s flow of personal data;
  • maintaining your Data Protection Impact Assessments;
  • assessing and ranking your risks according to their severity and likelihood of occurring;
  • introducing EU Standard Contractual Clauses for transfers from EEA countries to the UK where they have not been needed before; and
  • reviewing the wording of your privacy notices as necessary.

Communications with your colleagues should be calm and measured. Your organisation has survived the entry into force and full application of the GDPR. Looking on the bright side, Brexit is a similar change management project.

Fortunately, in the UK, the ICO is recognised in other EEA countries as particularly willing to engage with public and private sector organisations, giving advice and cooperating in innovative plans (p.23).

Integrating Ireland’s Data Protection Law into Everyday Business

The Northern Ireland border seems to be the most intractable point in the Brexit debates and the MPs’ votes. As a result, in planning for our conference: Integrating Ireland’s Data Protection Law into Everyday Business on 8-9 May in Dublin, we ensured that we covered the All Ireland dimension by having not only three speakers from Ireland’s Data Protection Commission, but also the Head of the ICO’s office in Northern Ireland.

Whether or not Brexit will be resolved by the time we publish our May edition of PL&B UK Report, we will guide you through the process.


Stewart Dresner, Publisher


UK 102

UK Report 102

Lead story:

Disclosure of personal data in M&A due diligence phase

Data protection laws play a role in most mergers and acquisitions transactions because all companies process personal data. By Lore Leitner and Elli Laine of Wilson Sonsini Goodrich & Rosati.

Contents also include:

  • Comment: Preparing for Brexit
  • All eyes on the Brexit negotiations
  • Will the UK be an “adequate” destination for EU data?
  • Blockchain and the GDPR: Reconcilable differences?
  • Adtech tête-à-tête
  • GDPR EU Representative – the “hidden obligation” and Brexit
  • Book Review: Law, Policy and the Internet
  • Adopting an ongoing culture of GDPR compliance
  • Brexit will not affect data protection standards
  • London councils are failing to comply with FOI Act
  • ICO call for extension to FOI
  • EDPB advises on Brexit, data transfers and BCRs
  • ICO to start audits on Leave.EU and Eldon
  • UK Best GDPR communication awarded to agency behind Guardian campaign
  • ICO, FCA issue Memorandum of Understanding
  • MPs call for ethics regulator funded by a tech levy
  • ICO prepares for a ‘regulatory sandbox’