The GDPR is to become law in the UK

So sayeth Secretary of State Karen Bradley MP in her evidence to the Culture, Media, and Sports Select Committee on Monday 24th October 2016. In fact, her precise words were: ‘We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public’ (see here). This statement has since been welcomed by Elizabeth Denham, as reflected on the ICO’s blog.

Of course, all this is very cheering in terms of our at least being able to answer the basic question of whether the GDPR will become law in the UK. However, let’s not crack open the bubbly quite yet. After all it still remains completely unclear as to how the Government will ‘later’ look to ‘help British business with data protection while maintaining high levels of protection for members of the public’. Not least it remains unclear the extent to which the UK will look to ‘help British business’ either by enacting favourable exemptions under Article 23 GDPR or by trying to tinker with the GDPR itself post-Brexit (although see further my earlier post on the challenges which the Government would face if it pursued the latter course). The lack of certainty is unhelpful: how are businesses supposed to prepare for a regime whose contours remain unknown? when are we going to be given some insight into how the Government proposes to deal, for example, with the issue of exemptions under the GDPR? All we can hope for is that the Government will move rapidly towards revealing its legislative agenda on these issues.

Anya Proops QC