GDPR will come into force in the UK in 2018, minister confirms

Out-Law News | 09 Nov 2016 | 4:17 pm | 1 min. read

The EU's General Data Protection Regulation (GDPR) "will come into force in the UK in May 2018", the country's digital minister Matt Hancock has confirmed.

The announcement was expected after UK culture secretary Karen Bradley recently indicated that organisations could expect the GDPR to apply directly in the UK, at least for a time, despite the UK's move towards Brexit.

However, Hancock's announcement, contained in a written statement on the triennial review (54-page / 5.19MB PDF) into the Information Commissioner's Office (ICO), the UK's data protection authority, has now provided further clarity on the government's intentions.

In his statement, Hancock confirmed that the ICO's immediate priority will be to prepare itself, and other organisations, for the introduction of the GDPR, which comes into effect on 25 May 2018, and for "any changes to data protection regulatory landscape" post-Brexit.

As a result, Hancock confirmed the UK government would not adopt recommendations,   contained in the triennial review, to reconstitute the ICO as a "small multi-member Commission".

The ALB governance division in the Ministry of Justice that conducted the review proposed establishing a board of commissioners at the ICO, headed by a chief executive who would be "responsible for driving performance, operational delivery, value for money and opportunities for cost recovery where appropriate", according to the newly published report following the review.

However, Hancock said a move to a multi-member Commission model "is not the right change to make" to the ICO's governance arrangements.

"Strong and stable leadership is crucial during a period of rapid organisational change and the government believes that a single information commissioner working through an enhanced senior leadership team is the best model for achieving this," Hancock said. "We therefore do not intend on making any statutory changes to the governance model of the ICO."

Hancock, though, backed other steps aimed at ensuring the ICO is a fit regulator for the digital age.

The minister said: "The review recommended that the ICO improves its digital and technological capability to meet the economic and societal challenges posed by the rapidly growing digital economy. A number of improvements have been made over the last year, expanding the number of technology experts at the ICO and improving the visibility of technology in the ICO’s communications."

"This additional expertise has significantly strengthened the ICO's investigation and enforcement capability in relation to cyber and other data protection breaches. The information commissioner is committed to publishing a refreshed technology strategy in 2017, including further investment in expertise available to the ICO and drawing on external knowledge through better research and collaboration with experts from academia and industry."

An ICO spokesperson said: "We’re glad the report has been published, and welcome the positive comment on our work and contribution to the protection of personal data and freedom of information."