The UK Government has published a statement of intent, setting out details of the forthcoming Data Protection Bill. The Bill will be published next month and will give effect to the EU General Data Protection Regulation (GDPR) in the UK from May 2018.
The statement follows on from the Government’s “call for views” in April on how it should implement the permitted exemptions within the GDPR (to which it received 324 responses) and the Government’s commitment to introducing the Bill in the Queen’s Speech in June.
The Digital Minister noted that the “Bill will bring our data protection laws up to date…and will both support innovation, and ensure that we can remain assured that our data is safe as we move into a future digital world”. The Minister also promised that the new Bill “will give us one of the most robust, yet dynamic, set of data laws in the world” that “protect[s] privacy, strengthens rights and empowers individuals to have more control over their personal data”.
The Bill will apply to all personal data, not just personal data that falls within areas of EU competence. It will preserve much of the content of the GDPR, although the Government has confirmed its intention to apply exemptions from the GDPR, two of which will make the Bill more palatable to business.
The first of these allows organisations other than the Police to process personal data on criminal convictions and offences.
The second concerns automated data processing. The GDPR gives individuals the right not to be subject to automated decision-making, but there are certain sectors, including financial services, that rely heavily on this type of data processing. The Bill will permit automated data processing, but individuals will have the right to challenge any resulting decisions and request human intervention. The Bill will repeal and replace the existing law, the Data Protection Act 1998, in its entirety.
Some of the key features of the Bill will include:
there will be new offences, including the offence of altering records with the intent of preventing disclosure following receipt of a subject access request, with a maximum fine of level 5 on the standard scale
While the statement represents an important milestone in the current process of Data Protection reform and confirms that work on the content of the Data Protection Bill is already underway and is in its advanced s