tashka2000 - Fotolia

ICO prepares for post-Brexit GDPR

The Information Commissioner’s Office is to publish a revised timeline for the UK implementing the EU’s General Data Protection Regulation after Brexit

Information commissioner Elizabeth Denham has welcomed the UK government’s confirmation that it will implement the EU’s General Data Protection Regulation (GDPR) despite the outcome of the UK referendum.

In a blog post, Denham wrote: “I see this as good news for the UK. One of the key drivers for data protection change is the importance and continuing evolution of the digital economy in the UK and around the world.

“The digital economy is primarily built upon the collection and exchange of data, including large amounts of personal data – much of it sensitive. Growth in the digital economy requires public confidence in the protection of this information.”

Denham’s comments follow government confirmation during last week’s select committee meeting for culture, media and sport that the GDPR will go ahead.

In response to a question on Brexit at the select committee meeting, Karen Bradley, secretary of state for culture, media and sport, said: “We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.”

Denham echoed the minister’s comment that the UK would still be a member of the EU when the GDPR comes into effect. “I acknowledge that there may still be questions about how the GDPR would work on the UK leaving the EU, but this should not distract from the important task of compliance with GDPR by 2018,” she said. 

“We will be working with government to stay at the centre of these conversations about the long-term future of UK data protection law and to provide our advice and counsel where appropriate.”

Read more about GDPR

As Computer Weekly has reported previously, UK businesses could face up to £122bn in penalties for data breaches when the new EU legislation comes into effect.

Writing for Computer Weekly in June, Yves Le Roux, co-chair of the (ISC) Emea Advisory Council and technology strategist for CA Technologies, said 79% of Britain’s medium and large companies are unsure about their compliance, and many do not understand how the burden of compliance will be divided up.

Le Roux urged businesses to appoint a data privacy officer to take responsibility for defining and regularly reviewing the organisation’s overall privacy management strategy. This role should be distinct from that of the information security professional charged with executing the strategy, he said.

Read more on IT risk management