Whilst the EU General Data Protection Regulation (“GDPR”) will be directly enforceable in the UK by 25 May 2018, it also provides for limited aspects to be governed by member state law. Alongside the GDPR, the EU’s Data Protection Law Enforcement Directive (“DPLED”) will also need to be incorporated into UK law by 6 May 2018.
Government Minister Matthew Hancock has confirmed that the UK’s proposed Data Protection Bill “will bring the European Union’s General Data Protection Regulation (GDPR) into UK law, helping Britain prepare for a successful Brexit”. The Government has also published a “statement of intent” outlining some of the provisions that will be included in the Bill, repealing the Data Protection Act 1998. Whilst the statement outlines the main provisions, it is expected the Bill setting out further detail will be laid before Parliament after the summer break. Data Controllers will need to continue implementing their plans for GDPR compliance, whilst also monitoring any further requirements or exemptions introduced by the new UK law.
The statement indicates that:
- Implementation will be “done in a way that as far as possible preserves the concepts of the Data Protection Act  to ensure that the transition for all is as smooth as possible, while complying with the GDPR and DPLED in full”.
- The definition of personal data will be expanded to include IP addresses, internet cookies and DNA.
- Stronger rules about consent for processing personal data will be introduced, including a ban on default opt-out or pre-ticked boxes, and the requirement for parents or guardians to give consent for children under 13.
- Individuals will find it easier to require organisations to disclose their personal data at no charge, provided the requests are not “manifestly unfounded or excessive”.
- Data controllers will have to provide better information on how to access personal data.
- Data portability rights will make it easier for individuals to move data between service providers.
- The “right to be forgotten”, will for example allow individuals to require social media platforms to delete information they posted during their childhood.
- Individuals will have a greater say in decisions made about them based on automated processing or “profiling”. The Bill will also introduce some qualifications to those rights.
- Data controllers will have to notify the ICO without undue delay and within 72 hours of a data breach, if the breach risks the rights and freedoms of an individual. In cases where there is a high risk, they must also notify the individuals affected.
- Data controllers carrying out “high risk” data processing will be obliged to carry out privacy impact assessments.
- The GDPR requires the appointment of Data Protection Officers by public authorities and by data controllers whose “core activities include processing operations which are regular and systematic on a large scale or including processing special categories of personal data and data relating to criminal convictions or offences.”
- Where an individual is affected by an infringement of data protection rules, “it should be possible for actions to be brought on behalf of similarly affected individuals by a representative entity (e.g. ombudsman, consumer or civil society bodies)”.
- The ICO’s powers to fine organisations for breach of data protection laws will increase from the current £500,000 limit to 4% of global turnover or €20m (£17m).
- The new regime will continue to permit processing of data relating to criminal convictions and offences for relevant employment/safeguarding purposes.
- The exemptions for journalism under current law will be replicated and protections for whistleblowers will also be implemented.
- “The government will legislate to exercise [an] exemption in order to ensure that the UK continues to be a centre for groundbreaking research. We will ensure that research organisations and archiving services do not have to respond to subject access requests when this would seriously impair or prevent them from fulfilling their purposes. Research organisations will not have to comply with an individual’s rights to rectify, restrict further processing and, object to processing where this would seriously impede their ability to complete their work, and providing that appropriate organisational safeguards are in place to keep the data secure.”
- There will be a range of measures to implement the DPLED for the police and other entities involved in the criminal justice system.
- The Government will also legislate for a framework for processing personal data for national security purposes.
In addition to the ICO’s monetary penalties and other enforcement powers under the GDPR, new criminal offences will be created:
- A new offence of intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data. Offenders who knowingly handle or process such data will also be guilty of an offence. The maximum penalty would be an unlimited fine.
- A new offence of altering records with intent to prevent disclosure following a subject access request. The scope of the offence would apply not only to public authorities, but to all data controllers and processors. The maximum penalty would be an unlimited fine in England and Wales or a Level 5 fine in Scotland and Northern Ireland.
- The existing offence of unlawfully obtaining data will be widened to capture people who retain data against the wishes of the data controller (even if they initially obtained it lawfully).
The statement also emphasises the importance of compliance with data protection law as a basis for improved cybersecurity. It concludes saying “the government will be seeking to ensure that data flows between the UK and the EU, and also appropriately between the UK and third countries and international organisations, remain uninterrupted after the UK's exit from the EU. Cooperation with the UK’s law enforcement and security partners, both in Europe and beyond, will also remain a priority.”