On Monday, the UK Department for Digital, Culture Media and Sport (DCMS) published a statement of intent for a new Data Protection Bill (“the Bill”) intended to repeal the current Data Protection Act 1998 (DPA), strengthen data protection laws in the UK and align with the EU General Data Protection Regulation (GDPR).
The GDPR and the Call for Views
The UK remains a member of the EU until Brexit officially takes place, and therefore the full rights and obligations of membership will apply until that happens. This includes an obligation to implement the GDPR, which will come into effect on 25 May 2018.
However, the GDPR includes certain flexible provisions that allow the UK to exercise discretion over how they will apply within its borders. On 12 April 2017, the DCMS issued a “call for views” on the GDPR derogations as an opportunity for stakeholders to have a say in informing the derogations policy of the UK.
Letter to Stakeholders
In a letter to stakeholders, the Minister of State for Digital, Matt Hancock MP, stated that matters addressed in the “call for views” included “calculating risk and fraud detection, developing membership and alumni data, and enforcing rules, both contractual and legal.” To address these concerns, the DCMS stated that they would do three things:
Additional concerns included the challenge of managing data subject access requests in the areas of research and archiving. In response, Hancock stated that “[they] will be exercising all of the available derogations to ensure that research organisations and archiving services do not have to respond to subject access requests when this would seriously impair or prevent them from fulfilling their purposes, and providing that appropriate organisational safeguards are in place to keep the data secure.”
Statement of Intent
According to the statement of intent, it is intended for the Bill to “[e]xercise the available derogations in the GDPR that the UK government negotiated.” Notable derogations listed in the statement include:
According to the statement, the Bill will bring the UK’s data protection laws up to date and bring EU law into UK domestic law, while also supporting innovation and ensuring data protection, including tougher rules on consent, data subject access rights, and greater enforcement. Further, the statement explains that by adopting EU law into UK domestic law, the UK can be better prepared for a post-Brexit future.
How OneTrust Helps
OneTrust provides a simple and automated solution for global organisations to support their GDPR compliance including: readiness assessments, privacy impact assessments (PIA/DPIA), data mapping, website scanning and cookie compliance, subject rights and consent management, incident reporting, and vendor risk management.