As the UK has voted to leave the EU there is no legal obligation to implement GDPR. However, the Information Commissioner's Office (ICO) has made it clear the current Data Protection Act 1998 (DPA98) may have to be revised to bring it in line with the EU Regulation 2016/679 to ensure that the UK is able to trade and work with members of the EU and other partners that sit within the European Free Trade Area (EFTA).
The ICO had prepared plans for the event of the UK leaving the EU which includes revisions to the DPA98 that will bring it in-line with the GDPR requirements.
The Regulation 2016/679 framework would be the ideal model to provide a positive driver toward trade and free movement of data. Changes and implementation of any new data protection legislation in the UK would need to be effective by May 2018, which gives little time for the UK to implement changes.
As a framework, the Regulation 2016/679 could be adopted by organisations now, within the UK, thus ensuring that they are, although not legally bound, in the best possible position to provide an assurance of sound procedures related to the protection of personal data come 2018.
With the 25 May 2018 set as the commencement date for GDPR, the UK will have little time to consult, draft and put into place an Act that is proportional to the GDPR. With this scenario in mind, the Information Commissioner could advise Government that the current GDPR is already a focal point for UK organisations and that the timeline for the new data protection act should be reduced to ensure that it meets the timelines of GDPR.
Another possible scenario is that a mechanism similar to the EU-US Privacy Shield (when fully ratified) could be negotiated for the UK. As the EU published two directives at same time as publishing the regulation in April 2016 this is a less likely scenario. One of these directives focused on data privacy and sharing law enforcement agencies across the EU, and one focused on the Passenger Name Registration (PNR), which requires EU member states to put legislation in place to facilitate the needs of both directives. The UK therefore must ensure that it is able to share data between law enforcement agencies in the EU, but by doing so it must meet the needs of the GDPR on which both directives are based.
To this end, the UK is more likely to adopt legislation that is directly linked to the GDPR but the timelines for commencement will no doubt be a challenge that drafters and the Regulator will have to consider.