The Data Protection Bill will implement into UK law the GDPR derogations and the EU Data Protection Law Enforcement Directive, the government announced today. The majority of the EU General Data Protection Regulation (GDPR) provisions will automatically become UK law on 25 May 2018 when the GDPR enters into force. In publishing its legislative plans, the government confirms that it will Repeal the Data Protection Act 1998, but reflect it where possible, including reproducing the existing exemptions and safeguards as much as possible.
The government says it will seek to ensure that data flows ‘between the UK and the EU, and also appropriately between the UK and third countries and international organisations, remain uninterrupted after the UK’s exit from the EU’.
The proposed derogations include a provision under which organisations that currently process sensitive personal data in compliance with the DP Act can continue to do so under the GDPR. To clarify lawfulness of processing for public interest purposes, the government says its policy aim is to reflect the DP Act as far as possible and continue to provide clarity as to what processing for ‘public interest purposes’ means.
The term ‘public authority’ is not defined in the GDPR. For clarity, the government proposes to base the definition on the one present in the Freedom of Information Act 2000.
New elements include:
· The government proposes that in terms of asking for children’s consent, any aged 13 years or older would be allowed to consent to their personal data being processed. In addition, the Bill would require social media platforms, on request, to delete information held about children at the age of 18.
· the government “intends to make the ICO and the UK Accreditation Service (UKAS) the certification bodies.” They will be responsible for assessment leading to either certification or its withdrawal and the reasons for these decisions.
· “to ensure that individuals are able to exercise their rights to authorise non-profit organisations to deal with claims on their behalf, and that such organisations can collect damages awarded on individuals’ behalf.”
The new law will include GDPR fines and 72-hour data breach notification, and will create new offences relating to re-identifying anonymised or pseudonymised data.
Research organisations and archiving services would not have to respond to subject access requests when this would seriously impair or prevent them from fulfilling their purposes.
The government’s statement of intent can be seen at https://www.gov.uk/government/consultations/general-data-protection-regulation-call-for-views