As UK business prepare for 25 May 2018 when the General Data Protection Regulation ("GDPR") comes into force, businesses must also get to grips with the Data Protection Bill (the "Bill") which was published yesterday. It is important to note how the Bill and the GDPR interrelate as per our article published yesterday here.
Whilst the Bill introduces a lot of the same concepts, it also includes various derogations and exemptions which supplement the GDPR, in particular in relation to criminal offences and directors' liability.
The Bill includes two new criminal offences that are not outlined in the GDPR:
Click here to view table.
Both of these new criminal offences are recordable offences i.e. they will appear on the offender’s criminal record.
Whereas the GDPR does not provide for directors’ personal liability where a company breaches data protection legislation, the Bill introduces personal directors' liability, incorporating provisions directly from the Data Protection Act 1998 (the “DPA”). Where an offence is committed by a company and it is established that it has been committed "with the consent or connivance of or attributable to neglect" of a director, that director as well as the company will be guilty of an offence. Offenders will be “liable to be proceeded against and punished accordingly”.
The Bill transplants various sections of the DPA into the GDPR in this way, so we will look to provide further comment on the inclusion of such passages alongside further updates relating to criminal offences and directors' liability during the passage of the Bill through Parliament and after the new regimes come into force.