Lead Forensics
Prettys Solicitors Ipswich

Resources

Top

GDPR and The Data Protection Bill: Putting the puzzle together

October 2017

Introduction

We were all getting used to the idea of the GDPR, and how it would affect us, when Brexit came along and threw considerable uncertainty on what would happen and when. The picture then became more complicated when, in the Summer, the Government published the Data Protection Bill. So, where are we now, and how do the various pieces of data protection legislation fit together?

The General Data Protection Regulation

From 25 May 2018, the EU’s General Data Protection Regulation (“GDPR”) will be in force in the UK. As we will still be in the EU at the time, further legislation is not needed. After Brexit, the GDPR will remain UK law, by virtue of UK legislation.

What is the purpose of the Data Protection Bill?

A new Act was always going to be required, so as to deal with those parts of the Data Protection Act 1998 which are inconsistent with the GDPR. Therefore, the Data Protection Bill (the “Bill”) will become the UK’s latest Data Protection Act, and will repeal the Data Protection Act 1998 in its entirety. However, Brexit means that the Bill is now doing far more.

First, it is extremely important that the EU continues to regard the UK as having adequate data protection laws in place following Brexit. Without these, data flows between the UK and EU countries could be significantly impeded. As such the Bill provides for the GDPR to apply to all relevant processing, as if its articles are part of it. The Bill also provides that its provisions should be applied consistently with the interpretation of the GDPR given by the European data protection regulators (and also, presumably, the European Court of Justice)

The Bill also supplements the GDPR. It utilises the exemptions available to the UK in the GDPR (for example, certain exemptions to the Subject Access Request regime), and extends the remit of the GDPR in some respects (for example, by applying the regime to law enforcement agencies).

Where is the Bill now?

The House of Lords.

The Bill has had its first reading (13 September 2017) and second reading (10 October 2017, which included a general debate), and will proceed to the Committee stage (a line by line review of the Bill) on 30 October 2017.

The Bill is likely to change during its journey through Parliament, and is due to receive Royal Assent, and come into force at the same time as the GDPR, 25 May 2018.

What should you do to prepare for GDPR?

The GDPR will, undoubtedly, require all organisations to make changes in the way in which it processes personal data. It is important that implementation is taken seriously: the GDPR (and the Bill) contains a new enforcement regime, with much stiffer fines. There are four stages to implementing the GDPR:

  1. Familiarisation. Ensure that you understand what the GDPR will require of you.
  2. Audit. What data do you process? Why do you process it? Where did it come from? Who do you disclose it to?
  3. Assess. What you need to do to get compliant. Build an action plan.
  4. Implement. Take the necessary steps to ensure your organisation is compliant, and stays compliant.

Legal 500LexcelConveyancingChambers UK