On March 13, 2017, Elizabeth Denham, head of the UK data protection authority (“ICO”) publicly expressed her intention to massively recruit new personnel in an effort to be ready for the European (“EU”) general data protection regulation (“GDPR”).
In a statement released on its website, the ICO announced its plan to recruit new personnel by May 2018, in light of the new responsibilities and enforcement powers granted to the ICO under the GDPR. Ms. Denham later told the press the ICO would hire approximately 200 persons.
Interestingly, the ICO statement comes on the same day the UK Parliament has green-lit a bill allowing Ms. May, the British Prime Minister, to formally start the Brexit process and trigger the EU withdrawal procedure set forth in article 50 of the Treaty on European Union (“Article 50 Procedure”). Once Article 50 Procedure triggered, the EU institutions and the UK have a two-year period to conclude a withdrawal agreement (subject to possible extension).
The ICO’s statement, however, confirms the ICO’s pro-EU positioning and its willingness to align with other EU DPAs for the implementation and interpretation of the GDPR. More specifically :
- The GDPR will enter into force in the UK in May 2018, along with all other EU countries.
- Following the official withdrawal from the EU of the UK, only EU legislation that has already been implemented into local law will remain in place (e.g., EU Directives which have been enacted in UK laws).
- EU legislation which has direct effect in the Member States without a need for a national implementation including the GDPR, will cease to apply in the UK post-withdrawal. One critical aspect, accordingly, pertains to the manner in which the UK will implement the GDPR, and whether it, for instance, will amend its Data Protection Act to reflect the GDPR’s requirements (and obtain adequacy from the EU).
Alston & Bird is closely monitoring the implementation of the GDPR in various EU countries and the UK, and is advising companies with operations in the EU and the UK on how to comply with the GDPR. For more information, contact Jim Harvey or David Keating.