What do we already know?
We updated you in our April 2016 Newsletter Government reforms Government reforms (1): Data protection – changing times… and our June 2016 Newsletter Government reforms (2): data protection changes – guidance on its way about the new General Data Protection Regulation (GDPR), which will replace the current EU Data Protection Directive and national data protection legislation (for the UK, the Data Protection Act 1998).
We updated you in our November 2016 Newsflash Data protection – changing times that the Government has confirmed that the UK will be implementing the GDPR in May 2018.
We updated you in our September 2017 Newsletter Government reforms (1): Data protection – towards GDPR that the Government had published a statement of intent on the planned Data Protection Bill which is to repeal the Data Protection Act 1998 and help to incorporate the GDPR into UK Law.
Information from the Information Commissioner’s Office (ICO) on the content of the GDPR is available here.
The Data Protection Bill (DPB) has been published and is making its way through Parliament towards approval. The DPB is available here, but beware it’s 218 pages long!
The intention is that the DPB will repeal and replace the current Data Protection Act 1998 (DPA) and provide “a comprehensive and modern framework for data protection in the UK“.
However, it is worth noting that the DPB does not incorporate the GDPR but rather supplements it. So from 25 May 2018 when the GDPR applies directly to the EU, including the UK, both the DPB and the GDPR will need to be complied with. The DPB therefore does not need to replicate the GDPR but instead implements various derogations permitted by the GDPR and also extends the GDPR standards to certain areas of data processing outside EU competence.
When the UK leaves the EU the Government intends that the GDPR will be incorporated into the UK’s domestic law under the European Union (Withdrawal) Bill.
Please note that the DPB may yet well be amended, particularly at Committee stage which is scheduled to start on 30 October 2017. This is the first chance for amendments to be made and will involve a line by line examination of the DPB.
However, the main points to note so far are:
- ICO: The DPB provides for the continuation of the Information Commissioner’s role.
- Conditions for processing: The data protection principles and the conditions for lawful processing. The principles (Article 5 GDPR) and conditions for lawful processing (Article 6 GDPR) are the bedrock of the GDPR. They remain in place as the bedrock of the Bill (see Part 2, which applies to most types of processing).
- Sensitive Personal Data: The GDPR permits Member States to stipulate conditions for processing “special categories of personal data” (broadly, “sensitive personal data” under the DPA) and criminal conviction data without needing to obtain explicit consent. The DPB therefore aims to provide these conditions and largely replicates the current DPA provisions. There are exemptions relevant to specific types of organisation as well as several with more general application, such as where processing is necessary for the purpose of:
- diversity monitoring;
- to prevent and detect unlawful acts;
- to fulfil obligations under employment or social security law; or
- for health and social care purposes (including occupational medicine and the assessment of the working capacity of an employee).
To rely on the conditions organisations should have an appropriate policy document in place when the processing is carried out which explains the procedures to ensure compliance with the data processing principles.
- Subject Access Requests: The DPB confirms the requirements in the GDPR. You cannot charge for a Subject Access Request unless repeated or manifestly unfounded or excessive, and you must answer in one month (unless it’s excessive and it can be extended for another two months).
- Exemptions to individual rights: The DPB replicates certain DPA exemptions to individual rights to information about processing and subject access rights. Including:
- legal professional privilege;
- self-incrimination; and
- management forecasts, negotiations, and confidential references.
This is particularly helpful given the GDPR does not address these points.
- Children & data processing: The minimum age at which a child can consent to personal data processing by information society services (e.g. online sellers, search engines and social media) will be 13. Providers of such services will have to take reasonable steps to get the consent of a parent or guardian to offer a child under 13 years the service.
- Criminal offences: The DPB introduces new criminal offences of (i) knowingly or recklessly re-identifying personal data that has been anonymised, without the consent of the controller who de-identified the data; and (ii) altering personal data to prevent disclosure following the exercise of a subject access right.
- Request to provide records: The DPB replicates the DPA’s prohibition on requiring employees or contractors to provide certain records (including criminal records) obtained via subject access requests as a condition of their engagement, or on requiring the public to request such records in order to obtain goods, facilities or services. The DPB replicates the DPA provision for directors’ personal liability where an offence is committed with the consent, connivance or negligence of a director.
- Law Enforcement: Part 3 of the Bill deals exclusively with Law Enforcement and organisations will only be subject to these clauses if they are:
- a Competent Authority; or
- processing for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
Schedule 7 lists the Competent Authorities and this includes organisations such as Government departments, Police, Fraud Office, Probation, Youth Offending Teams etc. If you don’t meet the criteria above, you don’t need to worry about this large part of the Bill.
However, if your organisation does fall into the law enforcement category, then your Data Protection Officer has extra specified tasks in clause 69, namely the ability to assign responsibilities, promote policies, undertake audits and deliver training. There is also an additional requirement to have specific audit trails on automated processing ensuring a log of who collected, altered, erased and transferred data amongst other things. For further help, the Information Commissioner’s Office (ICO) has published a checklist entitled “Preparing for the law enforcement requirements (part 3) of the Data Protection DPB: 12 steps to take now” available here.
- Public Authorities: The DPB confirms that where it refers to public authorities or public bodies, it means those organisations that are currently subject to Freedom of Information Act (FOI) provisions. Interestingly it means any organisations brought under FOI in the future may need to consider issues such as DPOs and use of legitimate interests in future too.
- Data Breaches: As expected, in order to implement the GDPR requirements, any personal data breaches must be reported to the Information Commissioner’s Office (ICO), where there is a risk to an individual, within 72 hours unless there is reasoned justification. The potential derogation for public authorities has not been taken advantage of and they, like all other organisations, could face Civil Monetary Penalties of up to £17m or 4% of the equivalent of annual global turnover (although the ICO can change this). However, the ICO has given reassurance that it will continue to use these penalties as a last resort and they will be proportionate.
- Fees: The DPB makes provision for the ICO to continue to require a form of notification fees (currently £500 per annum for large organisations, £35 per annum for smaller data controllers). It also appears that the DPB allows the ICO to charge fees for other services too. The ICO will have to publish these fees and have them agreed by the Secretary of State.
The DPB imports much of the DPA and contains few surprises. It is welcome news that the Government’s intention is clearly to retain many of the DPA derogations and exemptions. Although the DPB is still subject to amendment by Parliament, there is not much time for fundamental change so the DPB does allow organisations greater clarity in their planning for implementation of the GDPR. However, as the law on data protection is not yet fully settled do continue to watch this space…