First mentioned in the Queen’s Speech back in June, the proposed Data Protection Bill was in the news again last week after the Department for Culture, Media & Sport issued a press release outlining the proposed legislation in more detail. The Bill is expected to be published in September and, given its stated purpose, should be ready for the statute book by the time the UK leaves the EU in 2019.
What About the GDPR?
The EU General Data Protection Regulation comes into force on 25th May 2018. This will not be affected by the new Data Protection Bill. Indeed, the primary purpose of the Data Protection Bill is to bring the GDPR into UK law so that our legal standards of data protection remain consistent with those throughout the European Union after Brexit. Not only does this mean that businesses already complying with the GDPR will face little or no disruption in transitioning from the GDPR regime to that introduced under the Bill; but it also means that handling personal data across European borders will be undisturbed by Brexit. In short, carry on preparing for the GDPR. That comes into force first, and there shouldn’t be any major differences under the new domestic data protection legislation that follows.
What Will the Data Protection Bill Do?
As we’ve already stated above, the main purpose of the Bill is to bring UK domestic data protection legislation into line with the GDPR. The UK’s current data protection statute, the Data Protection Act 1998, is quite literally from a bygone era and is no longer adequate to deal with current methods of data collection and processing, nor with current forms of personal data, for that matter. The Data Protection Bill will bring data protection law up-to-date and, according to the DCMS press release, will include measures to do the following:
- - Make it simpler for data subjects to withdraw their consent for the use of their personal data;
- - Allow data subjects to ask for their personal data to be erased;
- - Enable parents and guardians to give consent to data processing on behalf of their children;
- - Modernise and strengthen data protection law to fit with the digital economy;
- - Make it easier (and free) for data subjects to require organisations to disclose the personal data those organisations hold about them; and
- - Make it easier for consumers to move data between service providers.
(Read the press release in full here)
Will There Be Any Differences Between the Data Protection Bill and the GDPR?
Yes, it appears that there will be some slight differences, exercising the derogations in the GDPR that the UK government originally negotiated. This will include giving young people the right to require social media websites to delete information held about them when they reach the age of 18. The government has also stated that the derogations will allow for ‘a simpler shift for both businesses and consumers as we retain many of the enablers of processing essential to all sectors of the economy, from financial services to academic research, under the new legislation’.
What Should I Be Doing to Prepare?
For now, simply keep getting ready (or start if you haven’t already) preparing for the GDPR. There are no indications that the Data Protection Bill will represent a radical shift from the GDPR – as we’ve already pointed out – its main purpose is to bring UK law in line with the GDPR, subject to some minor differences which aren’t likely to make a big difference to most SMEs in any case.
In the mean time, here at Simply-Docs we will be monitoring the progress of the Data Protection Bill, as well as publishing new documents and guidance focused on the GDPR as May 2018 draws nearer. As always, if you have any thoughts or questions about the Data Protection Bill, we would love to hear from you in the comments.