Following the Statement of Intent published in August 2017, the new Data Protection Bill has now been introduced to Parliament and it had its first reading in the House of Lords on 13 September 2017. The second reading in the House of Lords, which will include a general debate on all aspects of the Bill, is due to take place on 10 October 2017.
Once enacted, the Bill will replace the current Data Protection Act 1998 (DPA) to provide a comprehensive updated legal framework for data protection in the UK, supplemented by the EU General Data Protection Regulation (GDPR) until the UK leaves the EU. The GDPR will have direct effect in the UK from 25 May 2018. Therefore, until the UK leaves the EU, the GDPR will operate in tandem with the Bill. When the UK then leaves the EU in March 2019, the government will restore a wholly domestic basis to our data protection laws but the Bill allows for the continued application of GDPR standards.
The government has said that the Bill will make data protection laws fit for the digital age in which an ever-increasing amount of data is being processed and it will empower people to take control of their personal data by giving them new rights to transfer or erase their data, including a right to be forgotten. It has announced that the Bill will:
• Replace the DPA.
• Preserve existing exemptions that have worked well in the DPA, carrying them over to the new law (see below).
• Ensure that the UK is prepared for the future after we have left the EU.
The Bill will include exemptions for data processing in the following areas:
• Processing of personal data by journalists for freedom of expression and to expose wrongdoing is to be safeguarded.
• Scientific and historical research organisations such as museums and universities will be exempt from certain obligations which would impair their core functions.
• National bodies responsible for the fight against doping in sport will continue to be able to process data to catch drug cheats.
• In the financial services sector, the pricing of risk or data processing done on suspicion of terrorist financing or money laundering will be protected.
• Where it is justified, the Bill will allow the processing of sensitive and criminal conviction data without consent, including to allow employers to fulfil obligations of employment law.
The Information Commissioner’s Office (ICO) will be given more power to defend consumer interests and issue higher fines, of up to £17 million or 4% of global turnover, in cases of the most serious data breaches.
The government has also published a number of useful factsheets on the Bill.