The UK’s 2016 And 2017 Data Protection Landscape

2016 saw further seismic changes to the data protection framework globally and, in particular, the EU. The year heralded the long-negotiated GDPR, the NIS Directive, the Privacy Shield and ended with a flurry of further developments at EU and UK level.

We have pulled together a summary of key developments as well as things to watch out for in 2017.

Article 29 Working Party ("WP29") Guidelines on GDPR

The WP29 adopted guidelines on three major GDPR requirements, namely:

  • DPO

  • Lead authority

  • Data portability

The Draft e-Privacy Regulation

The European Commission's proposal for the Privacy and Electronic Communications Regulation ('e-Privacy Regulation') was published. Some key points are:

  • Enhanced harmonisation and consistency with the GDPR

  • Two-tier system of fines aligned to GDPR

  • Applicability extended to OTT

  • Consent for use of cookies can be provided by means of browser settings

The Commission intends that the regulation would apply from 25 May 2018.

GDPR and Brexit

After months of uncertainty, the UK Government has made clear that the GDPR will apply in the UK. UK-based businesses need to get ready for GDPR regardless of whether and to what extent GDPR requirements will apply post- Brexit. The ICO position is clear - non compliance for UK based organizations is not an option.



In its recently published Cyber Security Regulation and Incentives Review, the UK Government has announced that it will set out the requirements to implement the NIS Directive which will be overseen by the new National Cyber Security Centre (NCSC).

cyan padlock

Directors' Liability

The UK Digital Economy Bill currently proposes liability upon directors for serious breaches of the UK Privacy and Electronic Communications Regulations. Directors will be held liable for violations of the rules on direct marketing including so-called nuisance calls.


UK Investigatory Powers Act 2016

The CJEU ruled on the Data Retention and Investigatory Powers Act 2014 holding that EU member states cannot impose retention of personal data on a general basis. This challenges the legality of the newly adopted Investigatory Powers Act 2016 which appears to impose data retention beyond what is currently accepted by the CJEU.

multiple devices

Things to watch out for in 2017

Here's a (non-exhaustive) list of things to watch out in the year ahead:

On data transfers:

  • Decision on the validity of the current EU Standard Contract Clauses
  • Annual joint EU-US revision of the Privacy Shield


  • Further guidance of the WP29 on GDPR on DPIAs and Certification mechanisms
  • A Fab-Lab in April 2017 held by WP29
  • Carve outs under GDPR

On other EU legislation:

  • Implementation of NIS Directive
  • Negotiations for the adoption of the e-Privacy Regulation

On the UK:

  • Development and outcome of Brexit talks
  • Adoption of the Digital Economy Act
  • Court of Appeal's decision on data retention practices

For a more in-depth look at all of the above, please see our Data Protection and Cybersecurity UK Update Alert here.

Dates for the Diary

  • 28 January 2017 – Data Protection Day & Launch of Cyber Ready Girls 2017 programme

  • 23 February 2017 – The DP Big Breakfast Series Session 1: Data Protection Officers

  • 1 March 2017 - Annual Commercial Seminar

  • 4 April 2017 – DP Seminar – Joint with PDP

  • 19 April 2017 - The DP Big Breakfast Series Session 2

  • 24 May 2017 – Annual DP Seminar

  • 14 September 2017 - The DP Big Breakfast Series Session 3

  • 5 October 2017 – Tech Talk

  • 25 October 17 - The DP Big Breakfast Series Session 4

Look out for invitations in due course or contact us if you want to know more on a specific event.

Leave a Comment