The UK should update  existing legislation on protection  of personal data in anticipation of the entry into force of EU Regulation 679/2016, effective on 25 May 2018.

It will be necessary therefore to determine whether and what application this new legislation will have to the processing of personal data in the UK upon its departure from the EU. In view of this difficult situation, it is expected that the above Regulation will be applied within the limits of the reforms that the UK adopts during its exit from the European  Union, even though it will be necessary to wait before verifying the government’s positions.

In a recent  statement, the “Information Commissioner’s Office” (ICO) of Britain has confirmed the applicability in the UK of the Data Protection  Act of 1998 and the need  for effective remedies  to be implemented in the future in order to maintain continuity of personal data policies with that of the European  Union (and thus in line with the new rules). In particular, the non-direct application of the Regulation to the UK territory will be subject to specific attention, especially with respect to the “adequacy” that the new (or existing) UK legislation has in relation to European  Union law so as to ensure the continuation of business activities and of relations between organisations and consumers. Under this logic, the “new” UK legislation should therefore be guided by European  standards and be the result of negotiations  with the European  Union (similar to what happened in Switzerland or Canada)  . A new legal framework in the field of personal data protection  will have a fundamental role in technological fields, finance, marketing, etc. with effects, as it is typical of legislation on protection  of personal data, on all sectors which operate (even indirectly) in the processing of personal  data.

Furthermore, from a practical and legal perspective, the exit of the UK from the European  Union (and any related laws on protection  of personal data) could result in a substantial change in the flow of personal data between the UK and the EU with a consequent “transfer” of data. This fact and its implications should be carefully assessed in light of the measures approved by the European Commission in order to legitimize (and make secure)  its cross- border flow of data.

It is therefore clear that during this transition phase  these  aspects should be carefully assessed both from an implementation and practical point of view as well as with regard to “continuity” of relations with participating partners  in the EU.

You can consult and/or download the full version of the Brexit dossier here.