June 24, 2016
By James Mullock and Simon Shooter, Bird & Bird
Even though the UK has voted to leave the European Union (EU), UK organisations are likely to face a data protection and cyber security law landscape heavily influenced by EU laws for the foreseeable future.
The cornerstone of the UK’s current regulatory regime (the Data Protection Act (DPA)), is based on laws written in 1995, when Google was 3 years from incorporation, Mark Zuckerberg was 11 and cloud computing was in its infancy as compared to today. It is long overdue a significant refresh.
A date for that refresh is already diarised for Friday 25th May 2018 – when the General Data Protection Regulation (GDPR) will come into force across the European Union. The UK will also very likely shortly be committed to implementing the so-called Cyber Directive – the Network & Information Security (NIS) Directive – along with other EU Member States, most likely by Spring 2018. A new directive for the police and criminal justice sector has also been finalised and must be passed into EU Member State law by 6th May 2018.
So what are the data protection and cyber security law consequences for the UK, now that it has voted to leave the EU?