What does the Data Protection Bill mean for GDPR May 2018?
So the question you may ask is why then has the Government introduced a new draft Data Protection Bill (DPB)? What do UK Organisation/businesses need to know?
A universal regime: The GDPR currently does not cover all areas of personal data processing. For example, the GDPR explicitly does not apply to law enforcement agencies.an example:(UKBA will benefit greatly with the exemption in protecting national interests, border controls) The DPB seeks to apply the GDPR to all those areas excluded under the GDPR (other than processing for personal reasons) – the end result will be one regime that applies across the board
One rule for all: The DPB implements the EU’s law enforcement directive into UK law and ensures that a data protection regime along the lines of the GDPR will apply to all (including the intelligence services)
Harmonised data protection: Despite the fact that the GDPR is intended to implement one harmonised data protection regime across the EU without the need for further legislation, it nevertheless does allow member states some latitude in some specific areas. For example, grounds for processing special categories of data (what used to be called ‘sensitive personal data’), in addition to those already in the GDPR, can be set by member states. The DPB therefore uses this discretion and ‘fills in the gaps’
Brexit-proof: Whilst the DPB doesn’t implement the GDPR itself into UK law, it does seek to ‘Brexit-proof’ the GDPR. On Brexit, the GDPR will be incorporated into UK law through the mechanism outlined in the EU Withdrawal Act – but the DPB makes adjustments to the terminology in the GDPR, so that it will work under UK law. For example, references to ‘member states’ will be changed to ‘the UK’
Children: The age at which children can give valid consent in relation to ‘information services’ (such as online banking and social media) is 13 or above. Verified parental consent will now be required for children under 13 wanting to sign up for such services
Taxes and research: Currently the UK has discretion to make exemptions from the GDPR - the DPB seeks to replicate these for the most part. For example, the processing for crime and taxation purposes and the performance of functions of regulatory bodies regarding research, historical or statistical information, meaning that it remains very similar to the current position (under the 1998 Act)
When will it come into force?
It so far unclear when the DPB will come into force as it requires an order by the appropriate Secretary of State. However It would make sense that it happens at the same time as the GDPR itself comes into force on 25 May 2018 but l will be very intrested on how this is implemnted.
The draft for the DPB is still going through parliament (it has just had its second reading in the House of Lords and now goes into the committee stage).As soon l have more details l will definetely write on it however it is possible that there may be some changes in the DPB during this process. However, most interested individuals agree that, the approach does make sense and where possible, the government has sought to replicate the various positions and requirements of current law as far as possible.
As always this from my personal exeperience and understanding of GDPR laws. I am am not a GDPR lawyer or Solicitor but my mission is to help you understand implications of GDPR. I am happy to help if you need my help reach out to me at firstname.lastname@example.org