UK data protection laws have been thrust into the news headlines today to alert Britons that they could obtain more control over what happens to personal information under proposals outlined by the government. The proposals are part of an overhaul of UK data protection laws drafted under Digital Minister, Matt Hancock, who said;
“The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world,"
The bill will effectively transfer the European Union's General Data Protection Regulation (GDPR) into UK law. The Data Protection Bill will make the necessary repeals including that of the Data Protection Act 1998, to ensure clarity of roles and responsibilities for all involved.
Data Protection Reforms
Alongside strengthening individuals’ rights and expanding the definition of ‘personal data’, the Data Protection Bill aims to offer further clarity and certainty to businesses whilst they continue to collect, share and process personal data. In so doing, the Bill will maintain the UK’s world-renowned culture of innovation, promote economic growth and cement the UK’s position as a global leader in the digital economy.
However, the proposed Data Protection Bill must be consistent with the GDPR and the Law Enforcement Directive as they help ensure the safe flow of data between the UK and key markets, such as the US and EU.
The Bill reflects the GDPR with regards to individuals’ new and strengthened existing rights such as; the requirement for explicit consent and the new ‘right to be forgotten’. The GDPR is also mirrored with regards to organisations in that data controllers will be more accountable for the data being processed and mandatory impact assessments for those organisations carrying out high risk data processing.
The measures outlined in the GDPR are thus being woven into the governments’ bill, however the bill introduces new and unique criminal sanctions.
New Criminal Sanctions
Under the planned reforms, the most serious offences will become recordable on the Police National Computer and can be disclosed as part of previous conviction or criminality checks.
The government states that offences will be modernised to ensure that prosecutions continue to be effective and are able to deal with emerging threats. In particular:
A new offence of intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data will be created. Offenders who knowingly handle or process such data will also be guilty of an offence. The maximum penalty would be an unlimited fine.
A new offence of altering records with intent to prevent disclosure following a subject access request. The offence would use section 77 of the Freedom of Information Act 2000 as a template. The scope of the offence would apply not only to public authorities, but to all data controllers and processors. The maximum penalty would be an unlimited fine.
The existing offence of unlawfully obtaining data to capture people who retain data against the wishes of the controller will be widened.
Elizabeth Denham, the Information Commissioner, said:
"We are pleased the government recognises the importance of data protection, its central role in increasing trust and confidence in the digital economy and the benefits the enhanced protections will bring to the public."
If you would like advice on compliance with the GDPR measures due to be implemented into domestic legislation under the Data Protection Bill, please contact; Andrew Swan - Head of Regulation and Financial Crime or Sheila Ramshaw- Specialist in Regulation at Short, Richardson & Forth on 0191 232 0283.