The government will implement the General Data Protection Regulation (GDPR) through the Data Protection Bill, which was announced in the Queen’s Speech on Wednesday 21 June 2017.
The GDPR, which been designed to protect EU citizens from privacy and data breaches, will include mandatory breach notifications delivered in a 72-hour period where a breach is likely to result in a risk for the rights and freedoms of individuals. Subjects will also be able to discover whether personal data concerning them is being processed, where it is being processed, and for what purpose.
The GDPR will give individuals more control over their own data, enabling subjects to receive personal data concerning them, and to transmit it to the data controller of their choice. Subjects can additionally remove their consent to have their personal data erased, or circulation or processing of their data stopped.
Organisations that do not comply with GDPR legislation, effective from 25 May 2018, can be fined up to 4% of their annual global turnover or €20 million, whichever is the greater amount.
The legislation will apply to organisations located within the EU, as well as organisations based outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. The GDPR will be applicable for all organisations processing and holding the personal data of subjects who live in the EU, regardless of where the organisation is located.
The Data Protection Bill will legislate to accommodate the GDPR. Ongoing Brexit negotiations and the UK’s decision to leave the European Union (EU) are not expected to affect the commencement of the regulation in 2018.
The Data Protection Bill aims to ensure that the UK is compliant with its obligations while it remains a member of the EU. After leaving the EU, the Bill will help the UK to maintain its ability to share data with other EU member states, as well as internationally.
The Bill will also work to establish a new data protection regime for non-law enforcement data, replacing the existing Data Protection Act 1998. This is designed to empower individuals to have more control over their personal data and ensure that the data protection framework is suitable for today’s digital age. The Bill also aims to modernise the data processing regimes used by law enforcement agencies, and update the powers and sanctions available to the Information Commissioner.
Helen Baker, partner at Sackers, said: “With the Queen’s Speech last week, we now know that there will be a UK Bill that will become a UK Act. [Pension] schemes, and everybody else that needs to comply, do still need to be looking at GDPR. GDPR is going to be with us in May next year. It will apply automatically and will carry on applying while we’re in the EU, and although we don’t know lots about what’s going to be in the UK Act, it sounds as though it’s going to have a lot of the features of the GDPR.
“As we come out of the EU and we have the Great Repeal Bill, effectively the Act is going to plug in behind [that] because regardless of whether we are in the EU or not, data protection legislation is due an update, not least because of how technology has moved on since 1998. Plus, we are going to need to have a framework that is fit for purpose for doing business in the EU. I think it’s part of an evolution rather than necessarily a big game changer.
“We don’t really have the information to know [whether the Bill will have a bearing on pensions and benefits] for certain one way or another. I think the expectation is GDPR will [have an impact] and it’s a big enough overhaul of the whole data protection regime that schemes are going to need to do things and take action. If the new UK Bill mirrors it substantially, then it’s all going to feed through.”