UK Data Protection Bill will impact the GDPR in the UK

Today, we finally have the UK Government’s take on the General Data Protection Regulation (“GDPR”) and it will affect your business from May 2018.

Today, we finally have the UK Government’s take on the General Data Protection Regulation (“GDPR”) and it will affect your business from May 2018.

The UK Government today published the UK Data Protection Bill which, although subject to change, is an important milestone which illustrates the UK’s vision for data use post-Brexit. The UK Government believes that it will make our data laws “fit for purpose for our increasingly digital economy and society”.

Time will tell whether or not this goal will be achieved, however it is clear at this stage that the key aim is to interpret and complement the GDPR for application within the UK by the application of certain existing exemptions and concepts under the Data Protection Act 1998 to support UK industry.

That said, the main elements of GDPR remain – including the increased penalty regime! Non-compliance will carry heavy potential penalties with a maximum fine of £17 million or 4% of global turnover. Now is the time to ensure compliance

Our detailed analysis shall follow shortly, however at this stage key points to note include:

  • Enhanced individual’s rights – including the right to be forgotten; data portability; tighter controls with regard to consent (opt-out boxes should be a thing of the past); and the right to withdraw consent;
  • Legitimate interests – clarification of processing personal data for ‘legitimate interests’, provided that it achieves a balance with individual’s rights;
  • Processing of sensitive and criminal conviction data without consent – this may be permitted where justified (including employers fulfilling their obligations under employment laws);
  • Processing for the pricing of risk – this will be permitted under certain circumstances;
  • Prevention and detection of fraud – certain safeguards will be introduced;
  • Online age of consent – where parental consent is not required, this will be set at 13 years.

We now know the UK Government’s view of GDPR, so factor these important considerations into your GDPR preparations.

Share on Twitter