The Government has issued a Statement of Intent outlining its plans for the new UK data protection law. The new law will update existing rules, replace the Data Protection Act 1998 (DPA), and implement the provisions of the EU General Data Protection Regulation (GDPR) and Data Protection Law Enforcement Directive in the UK.
In particular:
- The statement highlights some of the new requirements for controllers and processors flowing from the GDPR, such as mandatory data protection officers and data breach notifications, and new data subject rights including the right to data portability and to be forgotten.
- It reveals certain areas where the UK may well ‘derogate’ (or deviate) from the basic position under the GDPR. Whilst not exhaustive, it confirms for example the approach the UK plans to adopt in respect of children’s information services (ie, online services). Where consent is relied upon, the UK has opted to lower the GDPR threshold of 16 down to 13. This means parental or guardian consent will be required for under 13s. The law will rely on other exemptions under the GDPR to allow the processing criminal convictions and offences data and ‘automated decision-making’ (for example, profiling) in specified circumstances.
- The statement says that the new law will retain “many of the enablers of processing essential to all sectors of the economy, from financial services to academic research” in order to facilitate a simpler shift for businesses and consumers. The detail of this should become clearer once the Data Protection Bill setting out the new law is published for review.
- The potential sanctions for breaches will be substantial. In line with the GDPR, the maximum penalties for civil breaches will be £17m (€20m) or 4% of global annual turnover. There will also be new criminal offences which will have scope for unlimited fines in England and Wales. This includes planned offences of:
- intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data (and knowingly handling or processing such data);
- altering records with intent to prevent disclosure following a subject access request; and
- the existing offence of unlawfully obtaining personal data will be broadened to apply to people who retain data against the wishes of the controller, even if they obtained it lawfully.
It is expected that the Bill will be brought before parliament before the end of the year.
Beverley Flynn