< Back

Share |

Data protection and the GDPR: not to be forgotten

2018 was the year the GDPR came into effect (as we all know). In the data privacy world, it doesn't get much bigger than that. 2019 may not be quite as eventful (at least in terms of data protection) but data privacy will remain high on the agenda for businesses.

December 2018

We can't say it often enough – GDPR compliance is an ongoing obligation. It is not a tick-box exercise. It is not something you can cross of your 'to do' list. It is also not the only thing you need to think about when considering data privacy issues. As the 25 May 2018 recedes into the past, what will be the biggest data privacy issues in 2019?


It's a safe bet that Brexit is going to dominate 2019 in the UK and preserving the free flow of personal data is one of the highest priorities on both sides. Technical agreement has been reached on the draft Withdrawal Agreement and Political Declaration on the future relationship, both of which contain a number of references to data protection. Whether or not either agreement survives in its current form, or indeed at all, remains to be seen, but it is encouraging to see the emphasis placed on the preservation of cross-border data flows.

The Political Declaration which sets out the parameters for the future relationship between the EU and the UK puts "a commitment to a high level of personal data protection" as a basis for cooperation, and prioritises adopting an adequacy framework by the end of the proposed transition period, with the UK to take comparable steps to facilitate personal data flows to the EU.

Article 71 of the draft Withdrawal Agreement deals with data and other information after the end of the transition period. EU law on protection of personal data will apply in the UK to the processing of personal data of data subjects outside the UK where the data was processed under EU law before the end of the transition period, or where processed after the end of the transition period under the Withdrawal Agreement. These rules do not apply where the relevant processing is covered by a Commission Adequacy Decision. Where an Adequacy Decision ceases to apply, the UK must ensure an equivalent level of protection. This is not a commitment to continue to apply EU data protection law in full after exit. It applies only to non-UK personal data processed in accordance with EU law before the transition period.

In addition, at the end of the transition period the UK will not have access to any network, information system or database established on the basis of EU law (subject to derogations). Confidentiality and other obligations will apply to data and information obtained by authorities, official bodies or defined contracting entities before the end of the transition period or on the basis of the Withdrawal Agreement. The EU will not treat any data obtained from the UK prior to the end of transition, or after transition under rules in the Withdrawal Agreement, any differently from Member State data.

We already know that the Data Protection Act 2018 makes provision for the majority of the GDPR to apply in the UK after Brexit, and the government has said that even in a 'no deal' scenario it will preserve data flows to the EEA for the foreseeable future. We have also known for some time that the EU would not begin adequacy negotiations until after withdrawal arrangements had been concluded, but it is heartening to see that the UK has not been sent to the back of the adequacy queue.

What all this means is that if there is a no deal Brexit, data flows should be uninterrupted from the UK to the EEA, but a data transfer mechanism will be needed for personal data flows from the EEA to the UK. The best option is likely to be standard contractual clauses as Binding Corporate Rules need regulator approval which is unlikely to happen quickly enough. In the event that we do go into a transition period, the chances of an adequacy arrangement by the end of transition and no disruption to data flows are high.

ePrivacy – more to come

It's not all about the GDPR. The ePrivacy Directive which, among other things, governs rules on cookies and electronic direct marketing, is in the process of being replaced by the ePrivacy Regulation which remains bogged down in the legislative process (read more about it). The Regulation was intended to come into effect on 25 May 2018, alongside the GDPR, but it is now unlikely to apply in 2019 even if it does become law next year. The approval process is likely to be delayed by the European elections in May and a reasonable period of at least six months will be needed between enactment and implementation. It seems, from the progress of the Regulation, that some of its more disruptive provisions are being watered down, but this will be something to watch in 2019.

GDPR bites

We don't want to scare you (it is Christmas, after all), but somebody is going to be made an example of under the GDPR. We haven't seen a major enforcement action concluded under the GDPR and the much-discussed potential fines of up to 4% of annual global turnover, remain the as yet undetonated 'nuclear option', locked away in the regulatory arsenal. 2019 is likely to bring enforcement actions under the GDPR which result in penalties of more than the previous £500,000 maximum. Having said that, the UK's ICO has been at pains to reassure businesses that the punishment will fit the crime, and only the most egregious breaches will result in heavy fines. We do not expect to see businesses which are obviously trying to do the right thing, feel the full force of the GDPR, but it's also worth saying that we think the focus of the ICO will go well beyond the tech giants next year.

DPOs will come into their own

The GDPR introduced a statutory requirement to appoint a Data Protection Officer (DPO) under certain circumstances for the first time in the UK, although the ICO has long advised data-rich organisations to appoint one. We expect to see more organisations voluntarily appoint DPOs even when not required by law to do so, and for DPOs to lead on data privacy within businesses. As individuals are increasingly aware of their rights and become more concerned about use of their personal data, there is an ever-greater business case for having a well-trained DPO in place. Leading on from that, we expect to see an increasing number of DPO training offerings come to market, and an increase in the outsourcing of the DPO function to data privacy experts.

US on board the privacy train

Various States in the Union are looking more closely at data protection. In 2018, California introduced its Privacy Act which will protect Californian personal data and impact organisations with Californian activities, but which may be based outside the State, and which surpass one of a number of quite low thresholds of Californian users and revenue. The USA is now considering introducing a Federal data privacy law and the Senate conducted hearings in the autumn to discuss the possibility. The intention would be to prevent regulatory fragmentation across the US.  

Some of those pushing for a Federal law to pre-empt State legislation want to bring the US' data privacy framework more in line with 'gold standard' privacy regimes around the world, including the GDPR, where others are pushing for a lighter pro-business regime. While California's new Privacy Act has proved controversial, the tech giants are increasingly supportive of a Federal privacy standard and a number have published their views on what it should contain. With the House of Representatives now controlled by the Democrats, seen as more likely to support new privacy laws, the chances of a new US-wide data privacy law making it through the legislative process have increased. While we do not expect to see a new law pass in 2019, we do expect debate and concrete proposals in the coming year.

Sectors under scrutiny

With the GDPR done and dusted from the regulators' perspective (although we are still waiting for more guidance in some areas), we expect to see the UK's ICO focus increasingly on particular sectors. We are looking at a more pre-emptive enforcement stance, with thematic reviews (similar to those conducted by the FCA) leading to specific investigations and enforcement action against individual data controllers and processors in breach. The ICO recently conducted an investigation into potential misuse of data in politics and is also focusing on children's personal data but there are a number of other sectors which the ICO clearly has concerns about, particularly those involving disruptive technology like AI. The GDPR and the DPA18 have given the ICO significantly greater powers and led to a large budget increase. We expect some of these resources to be deployed in sector-specific investigations in 2019.

Data privacy

2019 is undoubtedly going to throw up enormous challenges in the UK with Brexit scheduled for the end of March. In data privacy terms, it's not going to be as big a year as 2018, but businesses must not lose sight of their continuing data privacy obligations. Data protection and cybersecurity compliance is constantly evolving and here to stay.

If you have any questions on this article please contact us.

Debbie Heywood

Debbie predicts the data privacy hot topics of 2019.

"We do not expect to see businesses which are obviously trying to do the right thing, feel the full force of the GDPR, but we think the focus of the ICO will go well beyond the tech giants next year."