On Monday 7th August, the UK government outlined plans for a new data protection law. The new legislation is expected to ensure the GDPR, with all of its sentiment and rigour, will be enshrined in UK law and thus allow data to be sent between the UK and EU in an unfettered manner.
As most are already aware the General Data Protection Regulation will be enforceable across Europe and the UK on the 25th May 2018. The only slight ‘wrinkle’ to this was the unknown effect of the UK referendum on membership to the EU, which gave rise to a degree of uncertainty over what data protection might look like in a post Brexit Britain. The UK government’s new data protection law seeks to address this issue.
Matt Hancock Minister of State for Digital has stated the new bill will “give us (UK) one of the most robust, yet dynamic sets of data laws in the world. It will give more control over their data, and require more consent for its use, and prepare Britain for Brexit.” We have already seen similar bills being discussed in various EU countries – perhaps the most publicised being Germany, Netherlands and Poland – as they seek to expand or derogate in any areas, where permitted under the GDPR. What is different about this bill, is that it is being drafted in a way to account for Brexit while continuing to illustrate to the EU that the UK is a safe place to process personal data. Failure to achieve such a finding of ‘adequacy’ would be a major headache for the UK government and British businesses, therefore those expecting a more lenient or understanding data protection law are likely to be disappointed.
Some of the most talked about points of the new legislation are:
1. the fining structure will be the same as that for the rest of the EU under GDPR (4% of global turnover);
2. the threshold for obtaining consent will be hard to achieve, onerous to maintain and easier to withdraw; and
3. rights relating to the deletion of data (in certain circumstances) will be enhanced
In order to ensure data protection remains of utmost importance to UK businesses the ICO will receive greater power to ensure standards can be maintained after Britain exit the Union. Information Commissioner Elizabeth Denham has welcomed the government’s steps towards a more robust data protection regime stating: “We are pleased the government recognises the importance of data protection, its central role in increasing trust and confidence in the digital economy and the benefits the enhanced protections will bring to the public.”
What is clear is that there is no hiding from the reach of the GDPR and businesses are best served by immediately investing adequate time and resource to ensuring their compliance plans are on track – data maps compiled, policies and process in order, DPIAs documented and contracts with processors fit for purpose.
Vero will continue to monitor and provide updates in relation to developments in this, and other key areas in the run up to GDPR.