- By Rocio de la Cruz, Principal Associate at Gowling WLG
New Data Protection Bill on the Block
The new Data Protection Bill has been published and it is not without excitement that data protection experts are expecting to read through the complete text of the New Data Protection Bill. In the interim, the scenario described by her Majesty the Queen during the Queen's Speech in June 2017 and by the Government in both their statement of intent and paper released in August 2017 (where the UK Government's position on the implementation of a new regime was outlined), is now completed by the Data Protection Bill Overview that can also be found on the Government's website.
Is GDPR still relevant for businesses in the UK?
The overview document of the Data Protection Bill reaffirms that the Government's position is to maintain the GDPR standards. This will help the UK to be recognised by the European Commission as to provide an adequate level of protection, in order to facilitate the international transfers of personal data without the need of putting in place alternative mechanisms like model clauses.
READ MORE: Eight things to do if you want to break data protection rules
The Bill will be the UK complete data protection system
It is well known that GDPR will apply irrespective of Brexit. In addition, the Bill will introduce a regime covering not only the general provisions stated in the GDPR, but also understanding the importance of cyber security, and introducing additional exemptions along with law enforcement and national security data provisions.
- Exemptions- The Bill aims to preserve existing tailored exemptions that we are already applying within our businesses. This means that exemptions related to financial services, journalism, research and legal services (amongst others) may not be derogated. This is certainly something that will be very welcome by many organisations. For example, the use of data for research purposes has been increasing all over the years due to the different benefits that this method can bring to businesses and individuals. To use the data for this purpose organisations currently are able to rely on Section 33 of the Data Protection Act 1998 (the DPA), where if certain conditions are met (if personal data is not processed to support measures of decisions with respect to individuals, and if it is not processed in a way that substantial damage or distress is, or is likely to be, caused to any data subject) , it is allowed to reuse the data for as long as the research project needs, and to share it with other parties involved in the project for this purpose. In addition, the Data Protection (Processing of Sensitive Personal Data) Order 2000 introduced a condition for processing sensitive personal data for research purposes, provided that the above conditions are met, and if it is in the public interest.
READ MORE: Brexit and GDPR: How will it affect you?
- Law enforcement- The law enforcement regime will be a bespoke one to allow the police, prosecutors and other criminal justice agencies to internationally process data but also protecting the rights of victims, witnesses and suspects, thus complying with Article 8 of the Human Rights Act 1998.
- National security- A framework will be provided to enhance the mechanisms in place for national security reasons, including restrictions on rights to access and delete data where necessary, and ensuring that the laws governing the processing of personal data by intelligence services are modern enough to face emerging national security threats.
READ MORE: Are GDPR data requirements set to be a headache for organisations?
What can organisations expect?
Any businesses processing personal data need to keep working on meeting the GDPR standards as a starting point and bearing in mind that likely, the current processing or personal data based on UK exemptions will remain on a similar (although perhaps even more modern) basis.
The culture surrounding privacy, cyber security, and personal data is changing as a whole and organisations should envisage this scheme as an evolving, mind refreshing project, rather than a compliance burden. Personally, the way I see it is like when a person debates between doing a "quick-diet-where-they-will-loose-five-pounds-in-two-days-but-putting-ten-right-afterwards", or changing their eating habits. Indeed, we all know what brings more benefits in a long term period. And it is worth it.