Data Protection and Cybersecurity


Last updated: 5 January 2018

Bird & Bird's EU Legislation Tracker highlights Regulations and Directives scheduled to take effect or to be implemented by Member States in the period prior to the UK's departure from the EU. It does not provide an exhaustive survey. Instead, we have sought to summarise some of the key legislation, both draft and finalised, which we are tracking in the run up to Brexit and which are likely to be of interest to companies which do business in the UK and/or elsewhere in Europe.

The Tracker includes a short commentary on the substance of each of the measures identified, and a timeline for their known or likely effective dates (for Regulations) or implementation deadlines (for Directives). These are colour coded by reference to the likely date of Brexit.

For the purposes of the Tracker, we have assumed that the UK will exit the EU two years from its service of the Article 50 notice (i.e. on 29th March 2019). However, a transitional period is expected to follow, until the end of 2020, during which the UK will be required to continue to align its laws with those of the EU Single Market and Customs Union. It is currently expected that the EU Withdrawal Bill will be enacted with effect from the exit date and that the resulting Act will retain all EU Regulations (and statutory instruments implementing EU Directives) in UK domestic law. However, the Act is also expected to enable amendments to such Regulations by statutory instruments during a two-years period, and this process will determine the final form, in UK domestic law, of such legislation now summarised in our Tracker.

Implementation status 
  Implementation deadline/effective date likely to be pre-Brexit
  Implementation deadline/effective date likely to be post-Brexit
Timeline   EU legislation

Implementation deadline

9 May 2018


Network and Information Security Directive (NISD) (Directive (EU) 2016/1148)


  • Will introduce a framework of cyber security risk management for 'essential' and 'digital' service providers.
  • Regulated sectors will have to report cyber-attack incidents to a national competent authority in countries where they operate and adopt measures to manage security risks.
  • Likely to regulate energy, transport, banking, financial market infrastructure, health, water, cloud service and social media service providers amongst others. 

Brexit impact:

  • In August 2017 the UK government published a consultation paper seeking views on its plans to implement the NISD into UK legislation. The closing date for the consultation is 30 September 2017 and a response from government has been promised within 10 weeks. See here for a copy of the consultation request.

Other information:

Full text

Bird & Bird article


Takes effect:

25 May 2018


General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)


  • The EU's cornerstone data protection legislation
  • Will replace Member State laws which implement the Data Protection Directive (95/46/EC).
  • GDPR will introduce additional costs, liability risk, breach reporting and governance responsibilities for organisations that process personal data either in the context of its operations within the EU or anywhere globally in connection with (i) goods/services offered to or (ii) behavioural 'monitoring' (e.g. tracking online), individuals within the EU.

Brexit impact:

  • The Secretary of State has confirmed that the UK plans to adopt the GDPR, Brexit notwithstanding.
  • In the June 2017 Queen's Speech it was announced that the UK would be introducing a new Data Protection Bill.
  • In September 2017 the UK Government published a draft Data Protection Bill (see here for Bird & Bird's summary of its provisions as at the Bill's date of publication).
  • To track the progress of the Data Protection Bill through the UK parliament see here.

Other information:

Full text

Bird & Bird's GDPR guide

UK Government & ICO positions

ICO GDPR overview


Takes effect:

[Target is 25 May 2018?]


Draft: ePrivacy Regulation (Regulation on Privacy and Electronic Communications)

Overview of provisions:
  • The EU's proposed refresh of laws which regulate e-marketing, cold calling, cookies/other tracking technology, location data, network security and other communications issues.
  • EC's draft Regulation published 10 January 2017.
  • Will replace Member State laws which implement the ePrivacy Directive (2002/58/EC, as amended by Directive 2009/136/EC) which contains rules on cookies and similar technology.
  • The current draft indicates a significant toughening of the online and direct marketing laws, with particular attention paid to rules on consent. The May 2018 effective date seems ambitious.

Brexit impact:

The UK Government's intentions regarding the Regulation are unknown and are not likely to become clear until it has progressed further through the EU legislative process.A draft ePrivacy Regulation was published by the European Commission ((EC) on 10 January 2017.

The ePrivacy Regulation will replace the existing ePrivacy Directive (2002/58/EC, as amended by Directive 2009/136/EC), the EU legislation which contains rules on cookies and similar technology.

Other information:

Draft proposal (10 January 2017)

Bird & Bird summary of draft proposal (January 2017)

Bird & Bird's EU Legislation Tracker 
Aviation Data Protection & Cybersecurity HR and Employment Banking & Financial Services Intellectual Property Media Tax