The government published the Data Protection Bill on 14 September 2017, which will implement and supplement the General Data Protection Regulation ('GDPR') in the UK.
The government says the Bill will ensure that the UK's 'data protection framework is suitable for our new digital age and cement the UK's position at the forefront of technological innovation, international data sharing and protection of personal data.'
The Bill will regulate data protection in the UK once it comes into effect and will continue to do so following Brexit, allowing the UK to maintain a similar level of data regulation to the EU and share data across borders.
The document is 218 pages in length, containing 194 clauses and 18 schedules. For those who have not had an opportunity to read this document already, we have highlighted the key areas below:
Incorporation of the GDPR, and a wider data protection system
The Data Protection Bill is intended to bring UK law in line with the General Data Protection Regulation. Both come into effect in May 2018, with the intent of giving consumers more control over their personal data. The maximum fine for a breach by a data controller is four per cent of global group turnover, or £17m, whichever is higher.
The Data Protection Bill retains aspects of the current data protection regime where these are needed to supplement the GDPR, so as to provide at least equivalent obligations and protections in many cases.
Flexibility in the GDPR
The Department for Digital, Culture, Media and Sport published a summary list of the UK's intended derogations from the GDPR in August. These are areas where EU member states are left to produce their own laws to fit their circumstances while keeping within the GDPR framework. The main exemptions from the GDPR included in the Data Protection Bill are as follows:
1. 'Freedom of expression' exemption
This exemption protects professionals in a range of fields, including:
- Journalists who access personal data on the grounds of freedom of expression and to expose wrongdoing;
- Scientific/historical research organisations from certain obligations that would impair their work;
- Anti-doping bodies; and
- Financial services firms who handle personal data on suspicion of terrorist financing or money laundering; and
2. Employers processing 'special categories of personal data' exemption
A good degree of lobbying took place once it was clear the GDPR was restrictive around the use of what are currently called sensitive personal data, and under GDPR will be called special categories of personal data.
(a) Personal data
Employers can process special categories of personal data (such as health data, political opinion, religious beliefs, union membership and sexual orientation) if they meet strict conditions under the GDPR, such as obtaining explicit consent or included in a policy.
(b) Criminal convictions
Under the GDPR, employers can process data on criminal convictions only if this is specifically permitted by law. The Data Protection Bill will allow processing of criminal conviction data if it meets the same requirements as processing special categories of personal data (consent or a policy that meets the additional requirements).
3. Creation of new offences
The Bill introduces a number of new criminal offences, including an offence of altering, destroying or concealing information to be provided to an individual through a subject access request. Intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data will also be an offence. The GDPR's accountability principle regarding record keeping will be especially applicable in these areas, so a good audit trail is kept of what is done to comply.
4. Social media
The GDPR will bring in special protection for children's personal data, particularly in the context of social networking. Organisations offering online services to children may need a parent or guardian's consent to process their personal data lawfully. The GDPR permits the age when a child can give their own consent for online services to be between 13 and 16. The UK lowered the age of consent to process their personal data to 13. If a child is younger then you will need to get consent from a person holding 'parental responsibility'.
The legislation is due for second reading in the House of Lords on 10th October.
In other news, the ICO issued its draft controller to processor contracts guidance for consultation earlier this week. With re-contracting activity taking place at speed, this is timely and it is hoped the final version will be published shortly after the consultation closes, so that organisations have the time to remedy any gaps in their contracts with data processors.