The General Data Protection Regulation (EU 2016/279) (GDPR) is a new data protection and privacy law replacing previous data protection legislation in all EU member states; in the UK it replaced the Data Protection Act 1998 (DPA).
The GDPR applies to all businesses based in the EU, or those in other countries who trade data or services with anyone residing in the EU. This covers all shapes and sizes of business, so is equally applicable to sole traders and large corporations.
Additionally, the GDPR will also be accompanied by new ePrivacy laws to upgrade the Privacy and Electronic Communications Regulations (PECR). The ePrivacy Regulation (ePR) is still pending agreement and is planned for enforcement later in 2018.
The GDPR has now been enshrined in UK law by the Data Protection Act 2018, which received Royal Assent just in time for the GDPR enforcement date in May 2018.
The Information Commissioner’s Office has welcomed the UK’s third generation of data protection law; whilst the current wording of the Data Protection Act 2018 is an arduous read compared to the GDPR, the Act will hopefully ensure the UK gains a vital adequacy ruling from the European Commission after we leave the EU in March 2019.
This will ensure that the UK remains a viable trading partner with the EU and that UK businesses of every size will be able to continue sharing data across the EU and EEA border, with continued access to the EU Single Digital Market.