From 1 January 2021 the EU28 will reduce to EU27. In the UK, the GDPR will be replaced by UK GDPR. Whilst this will substantially mirror the GDPR, there will be a number of currently unknown and unintended consequences for businesses and their advisers managing breaches in the UK.
One of the more material consequences concerns the loss of the UK (and ICO) as the lead supervisory authority for the EU. The one-stop-shop mechanism will fall away where the UK (and ICO) remains the lead / designated supervisory authority. It remains to be explained in any detail how the ICO will coordinate and cooperate with other EU data protection authorities where a personal data breach is notified to the UK and another EU27 data protection authority. Will be go back to parallel fines, e.g. Uber?
Expanding on this theme further, to what extent should controllers and will the ICO draw upon existing and future guidance issued at an EU27 level, e.g. by the European Data Protection Board? Will the ICO (and UK courts) take into account the decisions of other supervisory authorities, other national courts and the CJEU? To what extent will they be considered or even persuasive in the UK?
A lot of uncertainty remains, not least as to the shape and form of BREXIT, let alone the impact on data protection legislation and, more practically, those of us managing global breaches every day which touch the UK. In a recent call to the ICO, the ICO confirmed that it was also considering these questions and awaiting further details once the outcome of the BREXIT negotiations is known.
What happens at the end of the transition period? That depends on negotiations during the transition period. The GDPR will be brought into UK law as the ‘UK GDPR’