Get in touch 0117 325 0526

Government reforms (1): Data protection bill

What do we already know?

 We updated you in our April 2016 Newsletter Government reforms Government reforms (1): Data protection – changing times… and our June 2016 Newsletter Government reforms (2): data protection changes – guidance on its way about the new General Data Protection Regulation (GDPR), which will replace the current EU Data Protection Directive and national data protection legislation (for the UK,  the Data Protection Act 1998).

We updated you in our November 2016 Newsflash Data protection – changing times that the Government has confirmed that the UK will be implementing the GDPR in May 2018.

We updated you in our September 2017 Newsletter Government reforms (1): Data protection – towards GDPR that the Government had published a statement of intent on the planned Data Protection Bill which is to repeal the Data Protection Act 1998 and help to incorporate the GDPR into UK Law.

Information from the Information Commissioner’s Office (ICO) on the content of the GDPR is available here.

What’s new?

The Data Protection Bill (DPB) has been published and is making its way through Parliament towards approval.  The DPB is available here, but beware it’s 218 pages long!

The intention is that the DPB will repeal and replace the current Data Protection Act 1998 (DPA) and provide “a comprehensive and modern framework for data protection in the UK“.

However, it is worth noting that the DPB does not incorporate the GDPR but rather supplements it.  So from 25 May 2018 when the GDPR applies directly to the EU, including the UK, both the DPB and the GDPR will need to be complied with.  The DPB therefore does not need to replicate the GDPR but instead implements various derogations permitted by the GDPR and also extends the GDPR standards to certain areas of data processing outside EU competence.

When the UK leaves the EU the Government intends that the GDPR will be incorporated into the UK’s domestic law under the European Union (Withdrawal) Bill.

Please note that the DPB may yet well be amended, particularly at Committee stage which is scheduled to start on 30 October 2017. This is the first chance for amendments to be made and will involve a line by line examination of the DPB.

However, the main points to note so far are:

To rely on the conditions organisations should have an appropriate policy document in place when the processing is carried out which explains the procedures to ensure compliance with the data processing principles.

This is particularly helpful given the GDPR does not address these points.

Schedule 7 lists the Competent Authorities and this includes organisations such as Government departments, Police, Fraud Office, Probation, Youth Offending Teams etc. If you don’t meet the criteria above, you don’t need to worry about this large part of the Bill.

However, if your organisation does fall into the law enforcement category, then your Data Protection Officer has extra specified tasks in clause 69, namely the ability to assign responsibilities, promote policies, undertake audits and deliver training. There is also an additional requirement to have specific audit trails on automated processing ensuring a log of who collected, altered, erased and transferred data amongst other things. For further help, the Information Commissioner’s Office (ICO) has published a checklist entitled “Preparing for the law enforcement requirements (part 3) of the Data Protection DPB: 12 steps to take now” available here.



The DPB imports much of the DPA and contains few surprises.  It is welcome news that the Government’s intention is clearly to retain many of the DPA derogations and exemptions.  Although the DPB is still subject to amendment by Parliament, there is not much time for fundamental change so the DPB does allow organisations greater clarity in their planning for implementation of the GDPR.  However, as the law on data protection is not yet fully settled do continue to watch this space…

Share this...

Review Solicitiors