The biggest reforms to UK data protection laws in over twenty years have now begun their legislative journey. The new Data Protection Bill, was introduced in the House of Lords yesterday and formally published this morning. The Bill aims to update data protection laws for the digital age in which we live.
The Bill's primary goal is to honour the Government’s commitment to fully implement the General Data Protection Regulation into UK law. Doing so is not just vital in meeting the UK Government’s legal obligations under EU law, but will also provide crucial in laying the groundwork for the UK achieving a mutual adequacy agreement to allow the free flow of personal data with the EU post-Brexit. The Government recently published a position paper on data flows post-Brexit and you can see techUK’s thoughts on that paper here.
The Bill does not recreate GDPR language in UK law, that will be done as part of the ‘conversion’ process of EU law onto the UK statute book as part of the European Union (Withdrawal) Bill (you can read techUK’s briefing on that bill here). Instead it sets out how the Government intends to utilise the available derogations offered within the GDPR. As a result, to make sense of the Bill it should be read alongside the GDPR itself. For example the Bill confirms that the UK will set the age of consent at 13.
Within the Bill are provisions to replicate a number of the exceptions and restrictions which exist under the Data Protection Act 1998, which will be repealed and replaced by this new legislation. These exceptions will ensure that certain types of important economic, social and legal data processing can continue to take place.
One key difference between GDPR and the Data Protection Act 1998 is that the GDPR, given it is an EU regulation, only applies to areas of law under the competency of the European Union, whereas the Data Protection Act 1998 applies to all data processing. This new Bill therefore extends GDPR standards across all general data processing, with some exemptions.
Aside from implementing GDPR derogations, the Data Protection Bill will also implement the Law Enforcement Directive, address National Security processing and update regulation and enforcement.
The Bill, as with the GDPR, proposes the most far reaching reforms to data protection law in over twenty years and will significantly increase the control individuals have over their personal information. Organisations of every size and sector will need to ensure they are compliant with the new rules by 25 May 2018, and the clock is ticking.
techUK is looking forward to working with Government, Parliamentarians and others as the Data Protection Bill makes its way through the Parliamentary process, as well as raising awareness of the new responsibilities faced by businesses under the new rules.
If you would like more information about techUK’s work on Data Protection please contact Jeremy Lilley.