How the Data Protection Bill will replace GDPR following Brexit
What About Brexit?
GDPR is a Regulation, not a Directive and will, therefore, apply to all EU member states. The UK referendum result means that it will no longer be an EU member state in the near future. However, GDPR will come into force on 25th May 2018, before the UK’s Brexit matters are concluded, and since it applies to companies that deal with the data of EU citizens, it (or at least the UK’s own Data Protection Bill) will apply after Brexit.
UK Information Commissioner, Elizabeth Denham has said that she supports the UK adopting the EU regulation even post-Brexit because if the UK is to continue doing business with Europe, British businesses will need to share information about and provide services for EU customers.
The UK’s Equivalent of GDPR – The Data Protection Bill
With this in mind, the UK is bringing in its own Data Protection Bill, which was announced in the Queen’s speech in June 2017, and was introduced to the House of Lords on 13 September 2017. This will allow UK businesses to continue doing business with the EU post-Brexit. GDPR will become law in the UK in May 2018, but the Data Protection Bill (DPB) will enable UK businesses to make the transition after March 2019, the current tentative date for the UK leaving the EU (Brexit).
This new UK DPB will replace the Data Protection Act 1998, and will essentially transfer the EU’s GDPR into UK law. The Bill covers many exemptions, restrictions, and clarifications relating to GDPR. Crucially, the DPB will mean that:
It will be easier for people to see / obtain the data that organisations hold about them, and to withdraw consent for the use of their data
People can ask for their data to be erased / forgotten
Companies will need to ask for explicit consent to process personal data
More things will be included under the term ‘personal data’ e.g. IP addresses, DNA and even cookies (text files loaded onto computers during website visits)
Re-identifying people from sources such as anonymous or pseudonymised data will be a criminal offence
DPB Extra Powers – ‘Assessment Notices’
The DPB will give extra assessment powers to UK regulators that are not currently available unless they relate to government agency. For example, new ‘Assessment Notices’ will give the Information Commissioner’s Office (ICO) the powers to enter the premises of any organisation, and to audit its data security compliance e.g. by examining documents, equipment and processing of data.
If it is decided from the audit that an organisation is not DPB compliant, enforcement notices and a schedule for correction can be put in place. Fines can also be issued of the same level as GDPR e.g. 4% of an organisation’s worldwide revenue.
Just as GDPR compliance sounds challenging to businesses / organisations that are not prepared, it could represent an even bigger challenge to businesses (UK companies and UK-based multinationals) / organisations that have neglected data the enormous amounts of data held in file systems. For them, the DPB will doubtless come as a shock.