There has been significant activity around on GDPR in the UK this month: The Data Protection Bill had its second reading in the House of Lords, and is now heading to the committee stage. The bill provides for the UK’s implementation of GDPR, with some special twists and turns, given the UK’s intention to leave the EU and government’s particular preferences, notably those based on the Conservative Party Manifesto from the 2017 UK general election. What follows is a general overview of the main areas of interest to people working with data. It obviously isn’t legal advice, and guidance on the current law is on the ICO website. This is a ‘heads up’ about some important upcoming areas that I haven’t yet seen referenced elsewhere.
“…give people new rights to ensure they are in control of their own data, including the ability to require major social media platforms to delete information held about them at the age of 18, the ability to access and export personal data, and an expectation that personal data held should be stored in a secure way.” Conservative Party Manifesto 2017
The UK’s Own GDPR
While GDPR is an EU-wide set of regulations, a number of areas have been left for national governments to adjust to their own preferences (“derogations” – aka the bits of GDPR member states couldn’t all agree on). Some particular exceptions for the UK are: the removal of the right of data subjects to carry out group action (bringing a “class action” style case against a company), and a different level for the minimum age at which a person can give consent for having their data used relative to many EU countries (13 for the UK by comparison to as much as 18 in some other member states), and right to erasure at 18.
The Bill is a read at 194 clauses and 18 schedules. In some ways the act is the data protection boomerang coming back to the UK. The UK’s first Data Protection Act (1984) was repealed by The Data Protection Act 1998, which came into force on 1 March 2000. The Data Protection Act is the framework for the UK’s current data protection regime, and implements the EU’s 1995 Data Protection Directive, ensuring the free flow of personal data between EU member states. The scope of the UK’s 1998 Act is wider than the EU Directive, so for that reason and others the draft UK Data Protection Bill covers areas beyond GDPR and general data processing, to include law enforcement and national security. If you are interested in the last two categories, you are likely to have your own sources, so I’ll focus on the general data processing part, which will:
- Implement the GDPR standards.
- Clarify definitions used in the GDPR, for the UK.
- Enable sensitive health, social care and education data to continue to be processed.
- Restrict rights to access and delete data where there is a public policy justification (eg national security).
- Set the age from which parental consent is not needed to 13.
New Powers and New Offences
It also proposes a number of other exemptions, particularly around scientific research. The Department for Digital, Culture, Media and Sport has issued a factsheet on the bill. Some of the proposed changes relative to current law are:
- Additional powers for the Information Commissioner.
- Higher administrative fines on data controllers and processors (up to £17m or 4% of global turnover as per GDPR).
- The Commissioner can bring criminal proceedings for offences where a controller or processor alters records with intent to prevent disclosure.
The bill proposes new criminal offences, including this one for failing to disclose data in response to Data Subject Access Rights. There are three notable proposed offences:
UK companies and professionals will need to pay particular attention to these. It is also a good time to remember that while data controllers will usually be business organisations, they can also be individuals, for example self-employed consultants, as well as charities, voluntary organisations and so on.The criminal offences are personal offences, not corporate ones. If you handle data about “living persons” you will need to understand the new obligations when they come into effect. In the past, data processors had relatively limited responsibilities; GDPR and the new act changes that.
GDPR On Track in the UK
In terms of what happens in the UK “post-Brexit” the Parliamentary Committee has recommended that the UK “maintain regulatory equivalence with the EU in respect of data protection in order to ensure unhindered data flows between the UK and EU post Brexit.” This would mean copying the remainder of GDPR into UK law, which should happen under the European Union (Withdrawal) Bill. This was confused by Government Minister Boris Johnson’s recent suggestions that the UK “would want to do things differently to the EU in certain areas, such as data”. His comment isn’t at all helpful for businesses in the UK, however it isn’t government policy. It looks likely that the UK will follow EU Data Protection requirements very closely for the foreseeable future.