Daradjeet Jagpal looks at the provisions of new legislation set to bring the data protection regime into the 21st century.
The UK government has published a statement of intent, setting out details of the forthcoming Data Protection Bill. The bill will be published next month and will give effect to the EU General Data Protection Regulation (GDPR) in the UK from May 2018.
The statement follows on from the government’s “call for views” in April on how it should implement the permitted exemptions within the GDPR (to which it received 324 responses) and the government’s commitment to introducing the bill in the Queen’s Speech in June.
The digital minister noted that the “Bill will bring our data protection laws up to date…and will both support innovation, and ensure that we can remain assured that our data is safe as we move into a future digital world”. The minister also promised that the new bill “will give us one of the most robust, yet dynamic, set of data laws in the world” that “protect[s] privacy, strengthens rights and empowers individuals to have more control over their personal data”.
The bill will apply to all personal data, not just personal data that falls within areas of EU competence. It will preserve much of the content of the GDPR, although the government has confirmed its intention to apply exemptions from the GDPR, two of which will make the bill more palatable to business.
The first of these allows organisations other than the police to process personal data on criminal convictions and offences. The second concerns automated data processing. The GDPR gives individuals the right not to be subject to automated decision-making, but there are certain sectors, including financial services, that rely heavily on this type of data processing. The bill will permit automated data processing, but individuals will have the right to challenge any resulting decisions and request human intervention. The bill will repeal and replace the existing law, the Data Protection Act 1998, in its entirety.
Some of the key features of the bill will include:
- a wider definition of “personal data” that covers IP addresses, Internet cookie files and DNA
- it will be more difficult to obtain consent to data processing and pre-ticked boxes and opt out (rather than opt in) will be insufficient for establishing consent
- children aged 13 years and older will have the capacity to consent to their personal data being processed as part of using “information services”
- individuals will be entitled to access their personal data at no charge where requests are not “manifestly unfounded or excessive”
- individuals will be able to move their electronic personal data from one organisation to another more easily under the new right to “data portability”
- individuals will have the “right to be forgotten” to have their personal data erased, including the right to have social media platforms delete personal data posted while they were under 18 years of age
- some organisations will need to put in place an accountability framework and be publicly accountable for their Data Protection compliance
- some data security breaches will need to be reported to the Information Commissioner’s Office (ICO) and affected individuals within 72 hours of organisations becoming aware of the breach
- the ICO will have the power to issue higher fines of up to £17 million or four per cent of global turnover, whichever is higher, on a sliding scale of breach severity
- there will be new offences, including the offence of altering records with the intent of preventing disclosure following receipt of a subject access request, with a maximum fine of level 5 on the standard scale
- the bill will include specific provisions regarding the processing of personal data for law enforcement and national security purposes (which are not contained within the GDPR)
While the statement represents an important milestone in the current process of data protection reform and confirms that work on the content of the data protection bill is already underway and is in its advanced stages, it should be noted that it is only a statement of the government’s intention to introduce legislation making specific provisions as to the law. Those looking for a more concrete steer are advised to wait for the bill.
However, that is not to suggest that organisations can rest in blissful ignorance in the meantime. The GDPR represents, as the ICO refers to it, “the biggest change to data protection law for a generation”, and organisations should begin their preparations now to ensure that their data processing practices, policies, procedures and data security meet the higher standards contained within the GDPR. Indeed, if the bill does not receive Royal Assent and does not come into force on or before 25 May 2018, then the Regulation will be directly applicable from that date, and there will be no grace period – or mercy from the ICO – for or towards organisations that fail to comply from day zero.
- Daradjeet Jagpal is legal consultant and director of Information Law Solutions.