Last week the UK Government gave details of a new Data Protection Bill. Teiss Head of Training and Consulting Jeremy Swinfen Green explains why this new Bill isn’t the same as the GDPR.
A new Data Protection Bill was announced in the Queen’s Speech earlier this summer. More details were given in a statement of intent published by the Government last week.
This statement seems to have created a little confusion. Some people are saying the new Bill is the GDPR. Others say that the new Bill is little more than a way for the Government to claim that the GDPR was their idea.
It isn’t as simple as that.
Let’s go back to the existing UK legislation around data privacy, the Data Protection Act (1998). This Act was a result of a 1995 EU “directive” which set out principles of data protection. Individual member states then had to pass these into law. The different states did this in different ways, resulting in an uneven data privacy playing field across Europe.
Move on 20 years. The EU has decided that, as well as strengthening consumer protections around personal data, they need to ensure the same rules apply across Europe. The result is a “regulation”, The General Data Protection Regulation (GDPR). Unlike a directive, this passes straight into law across Britain and Europe. In theory this should result in rules that can be interpreted the same way across the whole of the EU.
In the case of the GDPR, the law becomes active on 25 May 2018.
Also of interest: Nine things you might not know are illegal
Why have a new data protection bill?
So why do we need the Data Protection Bill? There are three reasons.
First of all there is a need to repeal the existing Data Protection Act. This would probably cause confusion if it were still in place when GDPR becomes active.
Second, the GDPR allows a number of national "derogations". These are areas where national governments can take decisions about how parts of the GDPR are implemented. The Bill takes care of several of them. For instance children, who have special provisions in the GDPR, are defined as people under the age of 13.
And third there is Brexit. When we leave the EU in 2019, European Regulations will no longer apply. However, the Government has committed to having a strong data regime in the UK.
This isn’t just because it is a good thing for consumers. It is also because we need a strong data regime if we are going to trade with the European Union after Brexit. And putting the GDPR into British law should ensure that the EU is happy that the UK remains a safe place to do business. This is what the new Data Protection Bill will do.
The Data Protection Bill really is just the GDPR in different clothes then? No. There are some very important differences.
Also of interest: How GDPR will affect your business
Why the GDPR is different
There are at least two important areas where the new Bill as proposed would result in a Data Protection Act that differs from the GDPR.
The right to be forgotten
The first area is the “right to be forgotten”. This right is part of the GDPR. However, in the GDPR the right is quite limited, allowing individuals the right to have data erased in certain circumstances but denying them that right in other circumstances.
The new bill goes further in a specific instance: the posts that young people submit to social media sites. The GDPR confers the right to erasure of “personal data … processed in relation to the offer of information society services to a child” (under 13). The new Bill proposes that young people be given the right to have their data “held about them at the age of 18” deleted, upon request, from social media platform.
In other words the right to erasure, on social media at least, appears in some ways to extend the definition of a child from 13 to 18.
This may (or may not) be a sensible provision. It is true that teenagers aren't always sensible about what they post.
But it is hard to be sure that data is erased totally on the internet, especially if it is in some way sensational. And this requirement is likely to cause a real headache for companies like Facebook and Twitter that will have to delete posts (or allow account holders to delete posts) on servers and back up servers.
New criminal offences
A number of new criminal offences appear to be proposed within the new Bill. These include:
- “Intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data”. In other words if you take a data set where individual identities have been deliberately hidden and manage to re-identify people (perhaps by combining the data set with another data set) you will be committing an offence. Fair enough most people would say!
- “Altering records with intent to prevent disclosure following a subject access request.” This is an existing offence under the Freedom of Information Act 2000 but it would be extended from public authorities to all data controllers and processors.
- Retaining data “against the wishes of the Data Controller”, even where the data was originally obtained lawfully. This extends the current prohibition from “obtaining or disclosing” personal data to “retaining” it.
Working with the new data protection rules
Complying with the new data protection rules, whether as part of the GDPR or a new Data Protection Act, isn't going to be simple. The rules are tighter in many ways that they current rules. And while FUD (Fear, Uncertainty and Doubt), especially around the fines that the ICO can impose (they almost certainly won't), is misplaced, there are good business reasons, not least around consumer trust, for complying with the rules.
But that won't be easy. The steps to take, while conceptually simple, require a lot of work. If you haven't started preparing already, then it is time to start now.
Jeremy Swinfen Green is Head of Training and Consulting at Teiss. He has worked as a digital strategist for over 20 years. His latest book The weakest link (Bloomsbury Press, 2016) explains why employees are a threat to cyber security.
Follow him on Twitter @mosocoLondon and @jswinfengreen
Image of Tower of Big Ben, under licence from Thinkstockphotos.co.uk copyright fotojog