21st November 2018
The new rules apply to all individuals and businesses which process personal data, whether relating to employees, customers, suppliers or other contacts.
The new EU data protection law
The General Data Protection Regulation (GDPR) came into effect across the EEA, including the UK, on 25 May 2018. The GDPR is designed to strengthen data protection rights and, since the UK remains a member of the EU until Brexit is formally concluded, it is currently directly subject to the GDPR, if only for the time being.
Moreover, the new Data Protection Act 2018 (DPA) specifically incorporates the GDPR into UK law (and extends the regime to several other areas of public and commercial life) so, regardless of how and when Brexit takes place, the GDPR will continue to have effect in the UK. Post-Brexit, the UK will need to be able to demonstrate continuing “adequate” data protection provisions in order to retain current commercial arrangements with the EU. Adopting the GDPR rule book is obviously the simplest way to aim for “adequacy” (although it is by no means automatic or inevitable that the EU will grant the UK this status) and the UK Information Commissioner’s Office is likely to continue to take notice of EU enforcement of the GDPR when interpreting and enforcing the DPA.
Does the marketing industry need to worry specifically about the GDPR?
The Privacy and Electronic Communications Regulations (PECR) supplemented the old data protection in several important areas, notably the extent to which businesses could send unsolicited marketing communications to individuals. While it was originally envisaged that PECR would be replaced by a new ePrivacy Regulation (ePR) at the same time that the old Data Protection Directive was replaced by the GDPR, this timetable has slipped. A draft version of the ePR is still being considered by the European Parliament but, for the time being, PECR continues to apply.
This means that businesses can only send marketing material to individuals by electronic means with their consent.
However, under PECR, the current “soft opt-in” rules still apply – i.e. a customer who has purchased goods or services from a business is deemed to have consented ("opted-in") to receiving electronic marketing communications from that business about the same or similar goods and services provided:
1) they were given an opportunity to opt-out at the time of the purchase; and
2) they are given an unsubscribe option with each subsequent communication.
It is not yet clear what path the UK will eventually take after it leaves the EU. If it adopts a Norwegian or Swiss-style approach, this will automatically include close alignment with EU data protection requirements.
If the UK chooses to truly go it alone and forge bespoke trade deals with select partners (e.g. the ‘SuperCanada’ option), then it will, in principle, have the freedom to revise its data protection laws as it sees fit. However, commercial and international pressure will nudge it forcefully in the direction of the GDPR, and the recent history of the US Safe Harbor provisions does not bode well for countries who wish to trade with the EU but whose data protection does not meet EU standards.
Safe Harbor was a scheme which allowed compliant US companies to self-certify as offering adequate levels of data protection. However, it was struck down in 2015 because of concerns surrounding US Government access to personal data. A putative replacement, Privacy Shield, has been mooted but not yet been universally accepted and is subject to serious legal and political challenge. Instead, many businesses have chosen to take the alternative safe route of the European Commission’s standard clauses (which are accepted to be adequate) or make their own adequacy determination for transferring data outside the EEA (a riskier option). In due course, Privacy Shield – or a modified and improved version of it – may come to be accepted by EU national data protection authorities and the UK might then be able to adopt something similar.
Regardless of the eventual situation, the UK will remain a member of the Council of Europe (not an EU body) and will retain its obligations under Convention 108 which concerns automatic processing of personal data.
For now, it seems unlikely that the UK will deviate significantly from the GDPR. With most UK businesses well down the route of GDPR compliance and accountability, no Brexit-induced changes are likely to occur in the foreseeable future.