The UK government has published its proposal to implement GDPR into UK law in a new Data Protection Bill. While GDPR will automatically come into force in the UK in 2018, the Bill is designed to ensure a smooth transition to a new data protection landscape regardless of Brexit, as well as implement key UK derogations.
Set to be introduced in September, the legislation will enshrine the fundamental principles of GDPR, including:
- The right to be forgotten
- Expanded definition of personal and sensitive personal data
- Expanded rights to access personal data
- Tighter rules on gaining consent
- New criminal offences to protect people from being identified by anonymous data and from having their data altered
- New powers for the Information Commissioner’s Office to fine companies £17m or 4% of global turnover
Most of the measures in the new Data Protection Bill will be familiar to anyone who has reviewed VinciWorks’ GDPR guide to compliance. Our Data Protection: Privacy at Work course is also GDPR-ready and gives users a head start on the coming changes to the data protection landscape in the UK. It’s fully customisable and contains a personal learning path builder that tailors content to a user’s role with over 1,000 configurations. New modules are constantly being updated and added to the course so that it never goes out of date and always provides users with exactly what they need to know to keep data safe and secure.
UK derogations
Within the scope of GDPR, countries have space to amend the parameters of the law. The government announced its intention to do that in the following ways that go beyond GDPR as written by the EU.
- Require social media platforms to delete content held on a user at the age of 18
- Repeal the Data Protection Act 1998 and have a single data protection law for both EU and domestic law
- Allow children aged 13 or older to consent to personal data being processed
- Organisations will be able to continue processing criminal conviction and offences data as they currently do
- Legitimate automated decision making will be allowed in some circumstances, such as credit reference checks
- Research organisations will be exempt from some personal data obligations such as correcting inaccurate data or right of access
What might happen after Brexit
Despite the government’s intention to bring GDPR into UK law, a hard Brexit with no comprehensive deal could mean no assessment of adequacy from the Europe. This could see a blockade on data transfers from the EU to the UK. Furthermore, the UK cannot apply to the European Commission for an assessment of adequacy, that determination can only be given by the Commission itself.