If you are already preparing for GDPR, and with VinciWorks GDPR Guide to Compliance and our Data Protection: Privacy at Work course, you already should be, then most of what is in the Data Protection Bill will not be news to you. However this will explain the key points of the new Data Protection Bill that are different from GDPR.
Running to over 200 pages, with 194 clauses, 18 schedules and 112 pages of explanatory notes, the government describes the Bill as a “complete data protection system.” That system already exists however, and it’s called the General Data Protection Regulation.
The Bill is essentially Brexit-proofing GDPR by bringing in the European standard of data protection, along with allowed UK exemptions, no matter if, when or how the UK leaves the EU. Also the Bill is necessary to implement a single data protection regime as GDPR, as a European Directive, only applies to areas of law under EU competency. The Bill itself says things like: “Terms used in Chapter 2 and in the GDPR have the same meaning in Chapter 2 as they have in the GDPR.” So there’s no reason to throw out all the GDPR compliance work you might have done so far. Indeed, now is the time to speed it up.
Along with the well-worn GDPR-related changes which are extensively covered in the VinciWorks GDPR Guide to Compliance, the Bill sets out the UK’s derogations, exemptions, and specific rule changes.
There are some groups who are exempt from having to follow a number of data protection rules altogether. These include bodies investigating financial crime and journalists who are seeking to expose wrongdoing. Scientific and historical research organisations are also exempt from complying where it would hinder their work, and employees who, where justified, access sensitive personal data without consent can do so if it fulfills an employment law obligation.
Crucially, financial services firms who are handling personal data connected to a suspicion of money laundering or terrorist financing are exempt from a number of obligations.
Further UK specific measures set out in the legislation include:
- Require social media platforms to delete content held on a user at the age of 18
- Repeal the Data Protection Act 1998 and have a single data protection law for both EU and domestic law
- Allow children aged 13 or older to consent to personal data being processed
- Organisations will be able to continue processing criminal conviction and offences data as they currently do
- Legitimate automated decision making will be allowed in some circumstances, such as credit reference checks
The UK legislation will introduce a number of new criminal offences related to data protection. These include:
- Unlawfully obtaining personal data
- Unlawfully altering personal data
- Re-identification and de-identification of personal data
The Bill will also give the Information Commissioner’s Office (ICO) enhanced powers to ensure enforcement and levy administrative sanctions, with the maximum fine available rising to £17m, or 4% of annual turnover, whichever is higher. Currently the ICO is limited to fines of up to £500,000.
One key benefit of the Bill, the government is hoping, is to ensure adequacy when the UK leaves the EU. There would be serious consequences for the UK’s data flow to the rest of the world should the EU not find the UK’s data protection regime as adequate.
Other GDPR provisions that are being fully transposed into the UK legislation, such as tougher consent requirements, refreshed principles of data protection and tighter times for breach notification, will also be subject to further guidance from the ICO.
The Data Protection Bill is due for its second reading in the House of Lords on the 10th of October. Until then, getting ready for GDPR will ensure you are fully ready for the new Data Protection Bill too.