GDPR to be brought into UK law under new Data Protection Bill

Data-protection-gavel-pic

The European Union’s (EU) General Data Protection Regulation (GDPR) will be brought into UK law under a new bill to ensure data protection measures are maintained after the implementation of Brexit.

The government has issued a statement of intent for the new Data Protection Bill, which is designed to update and strengthen current data protection laws included in the Data Protection Act 1998, in order to reflect the modern digital economy.

The government first outlined its intention to implement the GDPR through a new Data Protection Bill in the Queen’s Speech in July 2017.

The bill will enable individuals to ask for their personal data that is held by organisations to be erased, and it will also be simpler to withdraw consent for an individual’s personal data to be used. The definition of personal data will be expanded to include IP addresses, internet cookies, and DNA, and explicit consent will need to be gathered to process personal data, eliminating default opt-out or pre-selected tick boxes that have been used in the past to gain consent.

The bill will make it easier for individuals to require organisations to disclose the personal data it holds on them, and new criminal offences will also be created to deter organisations from either intentionally or recklessly creating situations where a person could be identified from anonymised data. For example, the Information Commissioner’s Office (ICO) will be given increased powers in order to issue fines of up to £17 million or 4% of global turnover in cases of data breaches. At present, the maximum fine the ICO can issue is £0.5 million. The new maximum is in line with the GDPR, which includes fines for non-compliance of up to 4% of an organisation’s annual global turnover or €20 million, whichever is the greater amount.

Under the new bill, organisations carrying out high risk data processing will also be obliged to conduct impact assessments to understand the risks involved.

The EU’s GDPR is to be implemented with immediate effect in all member states on 25 May 2018. The new bill will ensure features included in GDPR are translated into UK law successfully. This includes repealing the Data Protection Act 1998 to remove inconsistencies and streamline domestic law, applying the new data protection standards to all general data and not just areas of EU competence, and exercising the exemptions in GDPR that the UK government negotiated, such as requiring social media platforms to delete personal data on request and retaining enablers of processing data that are essential to all sectors of economy.

Matt Hancock, minister of state for digital, said: “Our measures are designed to support businesses in their use of data, and give consumers the confidence that their data is protected and those who misuse it will be held to account.

“The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world. The bill will give people more control over their data, require more consent for its use, and prepare Britain for Brexit. We have some of the best data science in the world and this new law will help it to thrive.”

Read more about what the implementation of GDPR means for employers in Ruth Buchanan: The new General Data Protection is just around the corner.