With the UK’s data protection framework set to change in 2018, David Edwards, head of Harrison Drury’s regulatory team, takes a closer look at the Data Protection Bill – soon to become the UK’s new and revamped Data Protection Act 2018.
A bit of background
A lot of organisations are already familiar with the term “GDPR” – the new General Data Protection Regulation. But are you aware of the wider impact on data protection?
The GDPR came into play in 2016, but the UK was granted a two-year grace period in which to get its new data protection framework in order, and as such, GDPR comes into force in the UK on the 25th
May 2018, replacing the current Data Protection Directive.
Did you also know that the Data Protection Bill (the Bill), also set to come into force on 25th May 2018, replacing the current Data Protection Act of 1998, will be forming part of the UK’s new regulatory framework?
When we refer to the ‘framework,’ we are referring to the GDPR and the new Data Protection Act – these will be the new governing regulatory and statutory provisions as of 25th May next year.
Don’t feel intimidated by these changes. While they are, of course, significant, we are here to help you understand them and make it possible for your business to comply fully with them.
The Bill was laid before parliament on the 13th September 2017, and continues to make its way through the legislative process. Once the Bill is passed, it will become known and referred to as the
Data Protection Act 2018. You can keep a check of the Bill’s process via this parliamentary link.
What does the Bill seek to do?
As a result of the GDPR being a Regulation – meaning that it will become directly applicable across the EU (including the UK, regardless of our Brexit status) without there being a requirement for the introduction of new domestic legislation, there will of course be gaps, and areas of legal uncertainty for which the UK will require clarity.
The focus of the Bill is on making data protection as relevant and necessary as possible in respect of meeting the UK’s requirements.
In short, the Bill will have three primary functions:
1. To fill in the gaps which the GDPR creates – as a result of this, when addressing data protection matters, both the GDPR and the new Data Protection Act will have to be consulted.
2. To extend the proximities of the GDPR – the new Data Protection Act will go into some areas which the GDPR will not cover. Examples of this can be seen in respect of law enforcement and intelligence services provisions which are catered for in the Bill.
3. To make the UK’s new data protection law unaffected from the Brexit matters. Once the UK officially leaves the EU, such EU Regulations will no longer be directly applicable to us. As such, the UK’s new data protection framework will need to mirror what is set out within the GDPR to avoid the problematic transferring of personal data between the UK and member states, and other complex issues.
What does the Bill say, and how does this connect with the GDPR?
The Bill has been split into seven different parts. Within the provisions, the Bill also refers to the relevant Article/s of the GDPR:
- Parts 1 and 2 will be the most significant for many organisations with these being the areas which address the foundations of a sound data protection regime – something which all organisations should be striving towards now.
- Parts 3 and 4 of the Bill address processing in respect of law enforcement and intelligence services. As identified above, these are two of the wider areas which the GDPR doesn’t seek to address.
- Part 5 of the Bill is in respect of the Information Commissioner’s Office (ICO) – All organisations should ensure that they are familiar with this part.
- Part 6 of the Bill stipulates the types of data protection enforcement (inclusive of financial penalties) and powers of the Court. Again, having a sound understanding of the enhanced sanctions brought in by the new data protection framework should assist organisations to formulate the appropriate risk management approach. Increased financial penalties and sanctions are one of the key changes in respect of the UK’s new data protection laws so make sure you are aware of these and their significance.
- Part 7 of the Bill looks at other, additional aspects, inclusive of criminal offences.
The Bill remains subject to further change. However, the Bill must be formalised and brought into force by the 25th May 2018, when the incoming of the GDPR brings the introduction of the UK’s new data protection framework.
What should organisations be doing now?
As stated above, while the Bill is still subject to further change, we strongly advise businesses to get themselves familiar with its layout and wording – this is what many organisations are already seeking to do in respect of GDPR.
Use the time you have between now and the 25th May 2018 to ensure that your organisation is establishing a sound understanding in respect of these changes, and most importantly – understanding what they mean for you and your business.
Harrison Drury will continue to post updates in respect of the UK’s changing data protection framework. If in the meantime you have any questions, please contact our Regulatory Team on 01772 258321, and a member of our team will be more than happy to assist. Alternatively, you e-mail David Edwards direct.