On Monday, the UK Department for Digital, Culture Media and Sport (DCMS) published a statement of intent for a new Data Protection Bill (“the Bill”) intended to repeal the current Data Protection Act 1998 (DPA), strengthen data protection laws in the UK and align with the EU General Data Protection Regulation (GDPR).

The GDPR and the Call for Views

The UK remains a member of the EU until Brexit officially takes place, and therefore the full rights and obligations of membership will apply until that happens. This includes an obligation to implement the GDPR, which will come into effect on 25 May 2018.

However, the GDPR includes certain flexible provisions that allow the UK to exercise discretion over how they will apply within its borders. On 12 April 2017, the DCMS issued a “call for views” on the GDPR derogations as an opportunity for stakeholders to have a say in informing the derogations policy of the UK.

Letter to Stakeholders

In a letter to stakeholders, the Minister of State for Digital, Matt Hancock MP, stated that matters addressed in the “call for views” included “calculating risk and fraud detection, developing membership and alumni data, and enforcing rules, both contractual and legal.” To address these concerns, the DCMS stated that they would do three things:

  1. Firstly, we will exercise the available derogations through the Data Protection Bill.
  2. Secondly, we will where possible reproduce the exemptions and safeguards currently in the Data Protection Act.
  3. Thirdly, we will work closely with the Information Commissioner to ensure that her guidance helps signpost the way through the transition to the new law.

Additional concerns included the challenge of managing data subject access requests in the areas of research and archiving. In response, Hancock stated that “[they] will be exercising all of the available derogations to ensure that research organisations and archiving services do not have to respond to subject access requests when this would seriously impair or prevent them from fulfilling their purposes, and providing that appropriate organisational safeguards are in place to keep the data secure.”

Statement of Intent

According to the statement of intent, it is intended for the Bill to “[e]xercise the available derogations in the GDPR that the UK government negotiated.” Notable derogations listed in the statement include:

  • Giving consent to process data and protecting children online. Lowering the age at which parental consent is required for the processing of personal data of children to 13 years old, instead of 16 years old. (The GDPR sets the default age at 16 years.)
  • Processing criminal conviction and offence data. Extending the right to process personal data on criminal convictions and offences to enable organisations other than those vested with official authority to process criminal convictions and offences data.
  • Automated individual decision-making. Implementing an exemption to the right not to be subject to automated decisions, with a view to ensuring legitimate grounds for processing personal data by automated means where suitable measures are in place to safeguard the individual’s rights, freedoms and legitimate interests.
  • Freedom of expression in the media. Implementing journalistic exemptions to certain areas of data protection to allow for journalistic activity in the public interest to be carried out, while striking the right balance between freedom of expression and the right to privacy.
  • Implementing an exemption from complying with certain data subject rights, such as the right to rectification and the right of access, in the context of organisations engaged in scientific or historical research, or statistics or archiving functions.

According to the statement, the Bill will bring the UK’s data protection laws up to date and bring EU law into UK domestic law, while also supporting innovation and ensuring data protection, including tougher rules on consent, data subject access rights, and greater enforcement. Further, the statement explains that by adopting EU law into UK domestic law, the UK can be better prepared for a post-Brexit future.

How OneTrust Helps

OneTrust provides a simple and automated solution for global organisations to support their GDPR compliance including: readiness assessments, privacy impact assessments (PIA/DPIA), data mapping, website scanning and cookie compliance, subject rights and consent management, incident reporting, and vendor risk management.