New Data Protection Bill to implement GDPR in the UK

Data protection
The UK government is hoping the new Data Protection Bill will ensure a smooth transition to GDPR

The UK government has published its proposal to implement GDPR into UK law in a new Data Protection Bill. While GDPR will automatically come into force in the UK in 2018, the Bill is designed to ensure a smooth transition to a new data protection landscape regardless of Brexit, as well as implement key UK derogations.

Set to be introduced in September, the legislation will enshrine the fundamental principles of GDPR, including:

  • The right to be forgotten
  • Expanded definition of personal and sensitive personal data
  • Expanded rights to access personal data
  • Tighter rules on gaining consent
  • New criminal offences to protect people from being identified by anonymous data and from having their data altered
  • New powers for the Information Commissioner’s Office to fine companies £17m or 4% of global turnover


Most of the measures in the new Data Protection Bill will be familiar to anyone who has reviewed VinciWorks’ GDPR guide to compliance. Our Data Protection: Privacy at Work course is also GDPR-ready and gives users a head start on the coming changes to the data protection landscape in the UK. It’s fully customisable and contains a personal learning path builder that tailors content to a user’s role with over 1,000 configurations. New modules are constantly being updated and added to the course so that it never goes out of date and always provides users with exactly what they need to know to keep data safe and secure.

UK derogations

Within the scope of GDPR, countries have space to amend the parameters of the law. The government announced its intention to do that in the following ways that go beyond GDPR as written by the EU.

  • Require social media platforms to delete content held on a user at the age of 18
  • Repeal the Data Protection Act 1998 and have a single data protection law for both EU and domestic law
  • Allow children aged 13 or older to consent to personal data being processed
  • Organisations will be able to continue processing criminal conviction and offences data as they currently do
  • Legitimate automated decision making will be allowed in some circumstances, such as credit reference checks
  • Research organisations will be exempt from some personal data obligations such as correcting inaccurate data or right of access

What might happen after Brexit

Despite the government’s intention to bring GDPR into UK law, a hard Brexit with no comprehensive deal could mean no assessment of adequacy from the Europe. This could see a blockade on data transfers from the EU to the UK. Furthermore, the UK cannot apply to the European Commission for an assessment of adequacy, that determination can only be given by the Commission itself.

 

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.