A new General Data Protection Regulation was published in the Official Journal on 4 May 2016. As it is a Regulation (as distinct from a Directive), it is directly binding on Member States without any requirement for implementation into national law. It entered into force in all EU Member States on 25 May 2018.
It introduces a new sanctions regime and new requirements that will increase the regulatory burden on controllers and processors. The GDPR accompanies its cousin in law enforcement data protection matters, the Police and Criminal Justice Data Protection Directive.
The European Commission claims that the reform will boost legal certainty for businesses, with a single set of rules across the EU and a "one-stop-shop" approach to regulation meaning that companies will only have to deal with one single supervisory authority ("SA").
However, while the GDPR is designed to enhance individuals' data protection rights, the necessary corollary of stronger rights for data subjects is more onerous obligations for controllers, and, for the first time, processors.
The UK vote to leave the European Union has created uncertainty about how the GDPR will apply to the UK in the future. However, as the UK Government submitted a formal notice of an intention to leave the European Union (under Article 50 of the Lisbon Treaty) only at the end of March 2017, the conclusion of negotiations for that exit will almost certainly occur after the GDPR application date of 25 May 2018.
This means that GDPR will have some direct application to the UK for a period of time while the arrangements for leaving the European Union are finalised.
The ICO has also indicated that, in order to participate in the Single Market and data transfers from the European Economic Area, the UK will need to adopt data protection standards that are essentially equivalent to those in the GDPR in order to justify an adequacy decision; therefore, notwithstanding the Referendum result, we do expect some degree of reform to UK data protection law.
Further, UK-based organisations that offer goods or services to EU-resident individuals or monitor their behaviour, or whose personal data processing activities are related to such offering/ monitoring, will in any event be directly subject to the GDPR regardless of whether it is in force in the UK.