The Government has this week issued a Statement of Intent (accessible here) setting out its plans for a new Data Protection Bill. Once implemented, the Bill will overhaul the data protection regime in the UK. The Statement acknowledges that the EU General Data Protection Regulation (GDPR) will have direct effect in the United Kingdom until Brexit. It also provides some detail about how the UK will approach local law derogations that are permitted under the GDPR.
The Minister of State for Digital, Matt Hancock MP, refers to the ‘gold standard’ of data protection laws in the UK. He also emphasises the UK’s desire to continue this gold standard and to move forward in a way which ensures that the transition once the UK leaves the EU is as smooth as possible for all, while complying with the GDPR and other relevant EU directives in full.
How does it compare to the GDPR?
The Statement echoes key principles under the GDPR, such as:
- clearer requirements for obtaining consent;
- mandatory breach reporting obligations;
- enhanced rights for data subjects (such as the right to be forgotten, right of data portability and right to object to automated profiling);
- the requirement for organisations to carry out privacy impact assessments for high risk processing;
- the requirement for public bodies and other organisations carrying out regular and systematic processing on a large scale or processing certain special categories of personal data to have a data protection officer.
(See further details on the GDPR here). The civil sanctions referred to in the Statement also compare, with the ICO to be given powers to levy fines of up to £17 million (€20 million) or 4% of global turnover.
The Statement refers to some areas where the UK will go further than the requirements of the GDPR or exercise derogations which are provided for under the GDPR. These include:
- the age at which a child can consent to processing: the GDPR allows member states to set the age limit, between 13 and 16, above which a child is regarded as capable of giving consent. The UK Government has chosen to set this limit at 13. The Statement emphasises the importance placed on child online safety and refers to the development of a Digital Charter;
- enhanced rights for UK citizens to be forgotten: in particular requiring social media platforms, upon request by data subjects, to delete the information they posted before the age of 18;
- tougher criminal enforcement action, by the introduction of:
- a new criminal offence of intentionally or recklessly re-identifying individuals from anonymised of pseudonymised data; and
- a new criminal offence of altering records with intent to prevent disclosure following a subject access request.
Both of these sanctions carry maximum penalties of an unlimited fine.
- retention of many of the existing processing exemptions, for example for financial services and academic research purposes, on which the GDPR permits member states to legislate locally.
It is reported that the Government is expected to publish the text of the Bill in early September.
In the meantime, businesses should continue to prepare for the GDPR, but bear in mind that their GDPR policies and procedures may need to be re-visited once the Bill is issued and becomes law.