Back in August we published a post here on the Simply-Docs Blog with news of a new Data Protection Bill which the government planned to publish soon thereafter. That Bill has now been published and while it is likely to be chopped and changed as it makes its way through Parliament, there are some key things to know about it from the start.
What is the Data Protection Bill?
The main purpose of the Data Protection Bill 2017 is to bring the provisions of the EU General Data Protection Regulation – the GDPR – onto the UK statute book in readiness for Brexit. As many readers will now know, the GDPR comes into force on 25th May 2018, bringing with it new higher standards of data protection compliance and a privacy regime fit for the 21st Century. In its most basic form, the Data Protection Bill will lead to an Act of Parliament that replicates the GDPR, ensuring that UK data protection law remains consistent with EU law – something that will be essential for doing business in a post-Brexit world. There will, however, be some key differences.
What is the difference between the Data Protection Bill and the GDPR?
The GDPR will apply almost uniformly in all EU member states (including the UK until we leave). We say almost because it does provide for limited differences at the member-state level. A member state is able to introduce some exemptions from the GDPR, provided that those exemptions still respect the fundamental rights and freedoms of data subjects, and provided that an exemption is necessary with respect to highly important matters such as national security; the prevention, investigation, detection, or prosecution of criminal offences; judicial proceedings; and a number of other public interest, public administration, and legal matters.
The Data Protection Bill deals with some of these limitations, but it is not just a copy of the GDPR. It will, in some areas, go beyond it. The Bill will also cover:
- ● Data processing that is not covered by EU law;
- ● The implementation of the EU Law Enforcement Directive;
- ● National security matters; and
- ● The changing duties of the Information Commissioners Office in light of the new legislation.
What key changes will the Data Protection Bill bring?
The Data Protection Bill includes a number of key elements:
- ● Making it easier for people to withdraw their consent to the use of their personal data;
- ● Implementing the so-called “right to be forgotten” into UK law;
- ● Requiring organisations to obtain explicit consent from data subjects when processing sensitive personal data;
- ● Expanding the definition of personal data to make it more suitable in the modern world, including data such as IP addresses, cookies, and biometric data;
- ● Improving subject access requests (including removing the right for organisations to charge for them in many cases);
- ● Enhancing the remedies, such as compensation, available to data subjects in the event of data breaches where the effects of such breaches go beyond financial loss or distress; and
- ● Creating new criminal offences that will apply in the case of certain severe data breaches.
Watch This Space!
As with any new piece of legislation, the Data Protection Bill now faces a long journey through Parliament where it will no doubt be subject to a number of changes – minor or otherwise – as it passes back and forth. Moreover, the European (Withdrawal) Bill, formerly (colloquially) known as the “Great Repeal Bill”, presently allows for significant modification of certain legislation by government ministers without it being subject to the normal levels of parliamentary scrutiny, so there is possibly even greater scope for changes that might not otherwise be palatable across the board. As ever, we will keep a close eye on things and keep you informed.