The new Data Protection Bill, which implements GDPR standards, will replace the current Data Protection Act.

The new law contains some derogations and exemptions including a specific relaxation for occupational pensions, designed to allow processing of personal data without consent where the processing:

  • is necessary to make a determination in connection with eligibility for, or benefits payable under, an occupational pension scheme
  • is not carried out for the purposes of measures or decisions with respect to the data subject
  • can reasonably be carried out without the data subject’s consent (which will only be where the controller cannot reasonably be expected to obtain consent and is not aware of consent having been withheld)

The Bill also contains three criminal offences, which are not contained in GDPR:

  1. Knowingly or recklessly obtaining, disclosing or retaining personal data without the consent of the controller
  2. Knowingly or recklessly re-identifying anonymised personal data without the consent of the controller responsible for de-identifying the personal data
  3. Manipulating personal data with the intention of preventing disclosure following a data subject access request

It also introduces directors’ personal liability, where a company commits an offence under the new Act which is attributable to the director’s neglect or with the director’s consent or connivance.

The new data protection legislation presents a huge shake up to the way we handle data.

Trustees in particular can be held personably liable for breaches. If you have GDPR concerns find out more about our GDPR guidance for Trustees.

Our Pitmans Point GDPR series also provides useful insights to help get you regulation ready, from risk assessments to action guides.

Read the full Data Protection Bill.