On 7 August 2017, the UK Department for Culture, Media and Sport (DCMS) published its Statement of Intent on a proposed Data Protection Bill, which will replace the current UK Data Protection Act 1998 (DPA).
The proposals set out in the Statement of Intent are intended to reassure businesses concerned about the impact of Brexit on data flows between the UK and the rest of Europe. The Bill is designed to fully implement the two new laws emanating from the EU – the General Data Protection Regulation (GDPR) and the Data Protection Law Enforcement Directive (DPLED) – in an effort to make the UK’s transition out of the EU as smooth as possible from a data protection perspective and to ensure that both commercial and law enforcement data flows ‘remain uninterrupted after the UK’s exit from the EU’. While this is not an explicit statement that the UK hopes to receive a finding of adequacy from the European Commission after Brexit, such an outcome remains a distinct possibility.
The Bill also means that UK law will closely mirror all key aspects found in the GDPR, from enhanced rights for individuals to increased accountability for controllers. Further, the Statement of Intent provides information on how the UK will exercise its discretion under certain sections of the GDPR where derogations apply; for example, in relation to the age at which children are able to give consent (without parental consent also being required) and to restrictions on rights and obligations where necessary to protect the public interest.
In all, the Statement of Intent appears to be designed to ensure that processing that is lawful under the DPA remains lawful under the Bill (e.g. that private companies will continue to be able to lawfully process personal data relating to criminal convictions for purposes such as pre-employment checking and fraud prevention) while also complying with the GDPR and DPLED. While the text of the Data Protection Bill has not yet been released, and it may be some time before it becomes law in the UK, the Statement of Intent reiterates that the GDPR will become part of UK law, and that companies need to think about being ready for it as soon as possible.