What do we already know?
We updated you in our April 2016 Newsletter Government reforms (1): Data protection – changing times… and our June 2016 Newsletter Government reforms (2): data protection changes – guidance on its way about the new General Data Protection Regulation (GDPR), which will replace the current EU Data Protection Directive and national data protection legislation.
We updated you in our November 2016 Newsflash Data protection – changing times that the Government has confirmed that the UK will be implementing the GDPR in May 2018.
The Government has published a statement of intent on the planned Data Protection Bill. The Bill will repeal the UK’s current data protection legislation, the Data Protection Act 1998, and incorporate the GDPR into UK Law. The Bill is planned to be published this month and its three main objectives are to maintain public trust in how personal data is handled, to ensure uninterrupted data flows between the UK, EU and globally for trade purposes, and to maintain the ability to share, receive and protect data for security and law enforcement purposes following Brexit.
The Bill will reflect the GDPR, which enhances existing data protection law, including by providing for Information Commissioner’s Office penalties of up to £17 million or 4% of global turnover.
The statement of intent sets out specific UK law plans. These include making serious data protection criminal offences recordable and creating two new criminal offences of:
- intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data, or knowingly handling or processing such data; and
- altering records (by controllers or processors) with intent to prevent disclosure following a subject access request.
The current offence of unlawfully obtaining data will be extended to cover retention of data against a data controller’s wishes (even where data was initially lawfully obtained).
Although the Bill has been presented as a brand new law, it appears that it will reflect the GDPR and maintain existing Data Protection Act regime provisions where possible. This should help provide for continuity and a smooth transition for both GDPR and Brexit. This approach will likely be welcomed by organisations and businesses that are already grappling with new GDPR compliance requirements.