Government publishes the Data Protection Bill
The UK government published the Data Protection Bill (Bill) on 14 September 2017. The Bill will replace the Data Protection Act 1998 (DPA) and transfer the General Data Protection Regulation (GDPR) into domestic law (with a few derogations, as discussed below). Post-Brexit, the Bill will continue to regulate data protection in the UK.
By now, most enterprises will be familiar with the obligations and restrictions imposed by the GDPR (effective from May 2018). However, as anticipated when introducing any EU regulation, the localised UK Bill contains some interesting nuances. Here are some of the highlights.
As in the DPA, certain groups may be exempt from the application of the GDPR. Generally these exclusions protect individuals that process personal data as a necessary element of their profession, including:
• journalists, who are allowed to process personal data on grounds of freedom of expression and to expose wrongdoing
• scientific/historical research organisations
• anti-doping bodies to enable them to protect the integrity of sport
• financial services firms that process personal data to investigate terrorist financing or prevent fraud.
Additionally, subject to obtaining explicit consent or inclusion in an employee related policy, the Bill allows employers to process sensitive personal data (called “special categories of personal data” under the GDPR) and data relating to criminal convictions.
The Bill also includes some additional criminal offences in relation to data protection. These are important for organisations to consider; otherwise they may find themselves inadvertently committing offences, as follows:
• altering, defacing, destroying or concealing information with the intention of preventing its disclosure as part of a valid subject access request
• knowingly or recklessly re-identifying individuals from de-personalised (ie anonymised or pseudonymised) data, without the consent of the controller or the data subject
• intentionally or recklessly obtaining personal data unlawfully (i.e. without consent).
Other points to note
In addition to the above, it is also worth noting the following:
• the fines under the Bill are essentially the same as set out in the GDPR, a maximum of £17m or 4% of global annual turnover
• a child in the UK for the purposes of providing consent to data processing is an individual younger than 13 years of age. If a child is under 13, companies will need to obtain consent from a person with “parental responsibility” for that child.
Any practical tips?
As anticipated, there are no real ground-breaking differences between the GDPR and the Bill. In particular, with the new offences in mind, it will be important to carefully document consents for processing and also to keep a solid audit trail when responding to subject access requests. This is also important in the context of the GDPR's accountability principle in relation to record keeping.
We also recommend that organisations stay eagle-eyed for any further developments in this area, especially with the Bill going for its second reading in the House of Lords on 10 October 2017.