Last week, Karen Bradley, the Secretary of State for Culture, Media and Sport, confirmed in oral evidence given to the Culture, Media and Sport Select Committee that the EU General Data Protection Regulation would, after all, come into force in the UK on 25 May 2018. 

The UK's Brexit vote had cast some doubt on whether the UK might seek to negotiate a way out of GDPR as part of the Brexit negotiation process due to begin once the Article 50 withdrawal process has started.

Mrs Bradley said:

"I had a meeting in the Department for Exiting the European Union on Thursday with the Secretary of State. We went through a number of matters. An example might be the General Data Protection Regulation, which of course comes into effect in the spring of 2018. We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public."

Following Mrs Bradley's statement, the UK Information Commissioner, Elizabeth Dunham, published a blog piece welcoming the news and re-confirming the ICO's view that the reform of data protection law was necessary to protect individuals by giving them greater control of their data.

Whilst the Commissioner also acknowledged 'that there may still be questions about how the GDPR would work on the UK leaving the EU... this should not distract from the important task of compliance with GDPR by 2018.'

The data requirements of GDPR are such that many organisations will require a real step-change in terms of data governance and that will take time. Back in May, we said that although then some 2 years away, anyone planning a GDPR project should not delay because there is much to do. Some 5 months on, the need is even more pressing and any organisation that was holding off in the hope that Brexit would in some way prevent GDPR coming into force in the UK should now put that aside. It's not going to happen.

The Commissioner has promised to issue a revised timeline this month setting out her programme for issuing GDPR guidance over the next 6 months. Whilst waiting for that guidance to arrive, there are basic preparatory steps you can be taking and for expert advice on GDPR planning, please speak to us.


Christine O'Neill KC

Chair & Partner