On 7 August 2017, Government publishes its Statement of Intent (SoI) on ‘A new Data Protection Bill: Our planned reforms’. The SoI states that implementation of the GDPR and repeal of the Data Protection Act (DPA) will be done in a way that so far as possible preserves the concepts of the DPA to ensure that the transition for all is as smooth as possible while complying with the GDPR in full.
The Government has 3 main objectives in its approach to data protection law as we prepare to leave the European Union – (1) Maintaining trust; (2) Future trade; and (3) Security.
DLA Piper’s Data Privacy team has published a blog on the SoI here. The key aspects from an employment perspective are as follows:
Rights of individuals
The Bill aims to better protect UK citizens through a combination of new and strengthened existing rights:
- Privacy – rules around consent are being strengthened and subject to additional conditions such as being unambiguous and easy to withdraw;
- Improved data access – it will be easier for individuals to require an organisations to disclose the personal data it holds about them at no charge;
- Right to be forgotten – individuals will be able to ask for their personal data to be erased; and
- Profiling – individuals will have greater say in decisions that are made about them based on automated processing.
Requirements for organisations
Requirements will be strengthened or amended to reflect the changing nature and scope of the digital economy. The aim is to build accountability but with less bureaucracy – administrative and financial burdens will be alleviated but there will be increased requirements for data breach notification. The Bill will help to reduce business exposure to risk of data protection breaches and associated fines and reputational damage and will provide a clearer regime for data processing.
Regulator’s powers
The Information Commissioner will retain existing powers and gain additional authority to impose greater sanctions in the event of data breach.
Exceptions and derogations
The Government conducted a ‘Call for views’ on the GDPR derogations which closed on 10 May 2017. The Bill will exercise the available derogations in the GDPR. The most notable are:
- Giving consent to process data and protecting children online – children aged 13 or older will be able to consent to their personal data being processed;
- Processing criminal conviction and offence data – the Government will legislate to extend the right to process personal data on criminal convictions and offences so as to enable organisations other than those vested with official authority to process criminal conviction and offences data. It will take a similar approach to that taken for the processing of sensitive categories of data.
- Automated decision making – the Government will legislate to implement the exemption where suitable measures are put in place to safeguard an individual’s rights, freedoms and legitimate interests eg in relation to a bank check creditworthiness before agreeing to provide a loan; and
- Research – research organisations will not have to respond to SARs when this would seriously impair or prevent them from fulfilling their purposes; they will not have to comply with an individual’s rights to rectify, restrict further processing and object to processing where this would seriously impede their ability to complete their work and provided that appropriate organisation safeguards are in place to keep the data secure.
Implications
The full detail of how the Government intends to implement the GDPR in the UK to ensure that data transfers to and from Europe post-Brexit are protected will not be clear until the text of the Bill is published. There are welcome indications that the Bill will deal with some aspects of the GDPR which could otherwise have been problematic for UK employers such as the prohibition on processing data about criminal records. It remains to be seen whether the Bill will deal with other problem areas such as the GDPR’s lack of exemptions to data subject access requests which could lead to employers being required to disclose privileged information. However, the SoI is helpful in further articulating the UK Government’s commitment to the adoption of the GDPR both pre- and post-Brexit.