On Monday, the Government published a Statement of Intent about the forthcoming Data Protection Bill. The idea behind the Bill is to fill in some of the gaps in the General Data Protection Regulation (GDPR), which will come into force on 25th May 2018. The full text of the Bill is likely to be published in September.
The Bill follows a consultation exercise run by the DCMS earlier this year calling for views on implementation of the “derogations” under GDPR. These are areas where EU member states are left to produce their own laws to fit their circumstances while keeping within the GDPR framework. Notable derogations, amongst others, include the minimum age at which a child can consent to data processing, when data about criminal convictions and offences can be processed and exemptions (including for freedom of expression in the media.)
That’s the real background to Monday’s statement. But this did not stop the media from peddling myths and misunderstandings. Upon reading the headlines, a layman or woman would get the impression that:
The Bill gives people new rights (No it does not, the GDPR does.)
(GDPR is a Regulation and so directly applicable. It does not need to be “signed into British law” whilst we remain members of the EU. Post Brexit it will still be applicable because of the provisions of the Great Repeal Bill (More here.))
The BBC even reported that “the new law was drafted by Digital Minister, Matt Hancock.” Yesterday the story was changed to state that it was “drafted under Digital Minister, Matt Hancock.” (I have asked them about this.)
Then again the media is not entirely at fault. The Government’s statement is drafted (or spun) in such a way as to give the impression that GDPR is all their idea rather than the EU’s. Mr. Hancock, in his foreword, even suggest that the Bill is part of the Government’s grand Brexit plan (if there is a plan!):
“Bringing EU law into our domestic law will ensure that we help to prepare the UK for the future after we have left the EU.”
All this myth peddling has led to some official myth bashing too. (See the ICO’s latest blog post.)
So what have we actually learnt about the Government’s GDPR intentions? Much of the statement explains the provisions of the GDPR or states the obvious. For example that the Data Protection Act 1998 (DPA) will be repealed. As of there was any choice!
- Children and Consent – The UK will legislate to allow a child aged 13 years or older to consent to their personal data being processed (rather than 16 which is GDPR’s default position).
- Exemptions – The GDPR allows the UK to introduce exemptions from the transparency obligations and individuals’ rights. The Government will make the same exemptions available under GDPR as currently under the Data Protection Act (see S.29-35 and schedule 7 of the DPA).
- New Offences – The Bill will create a number of new criminal offences:
Intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data, and knowingly handling or processing such data
Altering records with intent to prevent disclosure following a Subject Access Request (just like under S.77 of FOI)
Retaining data against the wishes of the Data Controller, even where the data was originally obtained lawfully (this would constitute a widening of the current offences provided for in s. 55 DPA)
- Journalism – There will be a journalistic exemption in GDPR similar to S.32 of the DPA (balancing data protection rights with journalistic freedoms). The Information Commissioner’s Office (ICO) will have wider powers to take enforcement action in media cases.
- Automated Decisions – There will be an exemption from the general rules in GDPR about automated decision making and profiling where such processing is in the legitimate interests of the Data Controller.
- Research – There will be exemptions to the general rules in GDPR about Data Subjects’ rights. Research organisations and archiving services will not have to respond to subject access requests when this would seriously impair or prevent them from fulfilling their purposes. Research organisations will not have to comply with Data Subjects’ rights to rectify, restrict further processing and, object to processing where this would seriously impede their ability to complete their work, and providing that appropriate organisational safeguards are in place to keep the data secure.
Data Controllers should not wait for the Data Protection Bill to be published before starting their GDPR preparations. There is so much to do now:
- Raise awareness about GDPR at all levels. (Check out our full day workshop and our GDPR poster).
- Consider whether you need a Data Protection Officer and if so who is going to do the job.
- Review compliance with the existing law as well as the six new DP Principles.
- Review how you address records management and information risk in your organisation.
- Revise your privacy polices in the light of the GDPR’s more prescriptive transparency requirements.
- Review your information security polices and procedures in the light of the GDPR’s more stringent security obligations particularly breach notification.
- Write polices and procedures to deal with new and revised Data Subject rights including Data Portability and Subject Access.
- Consider when you will need to do a Data Protection Impact Assessment