The government has this week published a statement of intent as to the domestic data protection legislation which it plans to bring into effect over the next year. The statement confirms that GDPR, which is set to be in force across EU states from May 2018, will also be brought into UK domestic law when the UK has separated from the EU.

The statement of intent is welcome because it makes clear that the enhanced rights conferred by the GDPR (including rights to move and delete data and enhanced consent requirements) will be imported into domestic law in full, giving more protection to data subjects but also greatly simplifying the position for data controllers, who will only have one set of regulations to comply with, whether or not they are processing EU citizens’ data and before or after the UK’s exit from the EU.

The Bill will also include derogations within UK law to ensure that businesses and research institutions are free to process data in ways which are likely to yield broader benefits for society, whether for scientific enquiry or in connection with the prevention of fraud, for example.