The Data Protection Bill and GDPR
There have been some questions raised regarding the relationship between the Data Protection Bill and GDPR.
The Bill is intrinsically linked to GDPR and will bring GDPR into UK law. In the Impact Assessment that was released alongside the Bill, the UK Government have stated the following objectives:
- To provide a comprehensive and modern framework for data protection in the UK, with stronger sanctions for malpractice;
- to set new standards for protecting general data, in accordance with the GDPR;
- give people more control over use of their data, and provide new rights to move or delete personal data whilst preserving existing tailored exemptions from the Data Protection Act;
- provide specific frameworks tailored to the needs of our law enforcement agencies and intelligence services, to protect the rights of victims, witnesses and suspects while ensuring we can tackle the changing nature of global threats.
In addition, the GDPR makes room for local amendments for certain areas of the regulation, there are known as derogations. The Bill describes what the UK will do regarding the derogations. One example is the age at which adult consent should be sought when dealing with children. The Regulation states consent from an adult should be sought up to the age of 16, but there is a derogation in this area, the UK has decided to reduce this to 13, which brings it into line with other UK regulations.
The important message is that the Data Protection Bill 2017 is not a replacement for GDPR, rather the way the UK will implement it. A Government statement on the Bill states:
The Bill is a complete data protection system, so as well as governing general data covered by GDPR, it covers all other general data, law enforcement data and national security data. Furthermore, the Bill exercises a number of agreed modifications to the GDPR to make it work for the benefit of the UK in areas such as academic research, financial services and child protection.
The Bill can be amended up to the point of Royal Assent and there is no date set for this yet, however it is safe to assume it will be before 25th May 2018.
It is worth understanding the derogations set out in the Bill and considering them as part of your implementation, but on the whole follow the guidance set out in the GDPR and by the Information Commissioner’s Office (ICO)
Finally when launching the Bill, Culture Secretary, Karen Bradley said:
“In the digital world strong cyber security and data protection go hand in hand. This Bill is a key component of our work to secure personal information online.”
So, as a minimum you can start your preparations by getting your Cyber Security tighter by considering Cyber Essentials and IASME.
Data Protection Bill Fact Sheet – Overview: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/644634/2017-09-13_Factsheet01_Bill_overview.pdf
ICO Data Protection Reform Pages: https://ico.org.uk/for-organisations/data-protection-reform/