Data protection legislation rarely leads the 10 o'clock news. It was with great media fanfare, however, that the Government announced the new Data Protection Bill yesterday.
This Bill represents the most comprehensive evolution of data protection rights in 20 years. The heart of these new rules is European through and through. The Data Protection Bill will essentially mirror the provisions of the EU's General Data Protection Regulation (GDPR), which employers will be obliged to comply with in any event.
With Brexit on the horizon, the new Bill does appear to give some much needed clarity. The Government's guidance note strongly suggests that these rules will be in place far beyond Brexit once they come into force on 25 May 2018. Although, in reality, this was always likely to be the case so the UK could continue to do business with the rest of the EU efficiently.
There is a plethora of attention grabbing changes to the current regime:
- New and tougher rules on obtaining employees' consent for the processing of their data
- An enhanced 'right to be forgotten'
- Changes to the rules on data subject access requests
- A significant increase to the maximum fine for breaking the rules - now £17 million or 4% of global turnover
- A new criminal offence related to de-anonymising data