The EU General Data Protection Regulation (GDPR) has been described by the Information Commissioner as “the biggest change to data protection law for a generation”. It will automatically come into force in the UK on 25 May 2018, just a few weeks after the UK is required to enact legislation to implement another EU law, the Data Protection Law Enforcement Directive (DPLED) on 6 May 2018 which applies to public enforcement agencies.

The Government has recently confirmed that it plans to introduce a new Data Protection Bill, which will integrate the GDPR into UK law together with the DPLED and ensure both continue to apply after Brexit.

The UK’s Minister of State for Digital, Matt Hancock said:

“The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world. …The Bill will give people more control over their data, require more consent for its use, and prepare Britain for Brexit.”

“The Data Protection Bill will allow the UK to continue to set the gold standard on data protection. We already have the largest internet economy in the G20. This Bill will help maintain that position by giving consumers confidence that Britain’s data rules are fit for the digital age in which we live.”

Key legal changes coming into force will include provisions that:

  • make it simpler for people to withdraw consent for the use of personal data;
  • allow people to ask for their personal data held by companies to be erased;
  • enable parents and guardians to give consent for their child’s data to be used;
  • require ‘explicit’ consent to be necessary for processing sensitive personal data;
  • expand the definition of ‘personal data’ to include IP addresses, internet cookies and DNA;
  • update and strengthen data protection law to reflect the changing nature and scope of the digital economy;
  • make it easier and free for individuals to require an organisation to disclose the personal data it holds on them;
  • make it easier for customers to move data between service providers.

New criminal offences will be created to deter organisations from either intentionally or recklessly creating situations where someone could be identified from anonymised data. In addition, the Information Commissioner’s Office will also be able to issue higher fines – of up to million or 4% of global turnover for serious data protection breaches. This is significantly more than the £500k current fine level.