Data Protection Bill 2017
by Mandy Webster (comments: 0)
UK Data Protection Bill
In September 2017 the Department for Digital, Culture, Media & Sport announced the details in the Data Protection Bill which is working its way through parliament now. As organisations in the UK have already started their GDPR compliance activity, how does the Bill interact with GDPR? When will it apply? Will it change data protection law in the UK? Will GDPR apply at all?
We look at how a new Data Protection Act will interact with GDPR and give some top compliance tips.
GDPR applies directly in all EU member states from 25 May 2018. However, the new Data Protection Bill will create a framework for general data processing, like that undertaken by UK businesses, once GDPR ceases to apply directly when Britain exits the EU. The Bill also sets out modifications permitted by GDPR where the UK government is tailoring GDPR for the UK. These will apply from May 2018 when GDPR applies.
So what are the key changes you need to be aware of?
5 Key Changes Under the Data Protection Bill and How You Should Prepare for Compliance
The Bill includes some exemptions and additional provisions under GDPR. This means that you must take account of the new Bill when preparing for GDPR.
The age from which an individual will be considered an adult will be lowered from 16 in GDPR to 13 under the UK Bill. If your organisation markets to young people you must develop a way to verify age and take steps to obtain parental consent if they are under 13.
New offences will be created where controllers deliberately destroy personal data to frustrate subject access requests. So it is important to undertake staff training to educate them on this and ensure that procedures reflect the fact that the organisation never condones the destruction or alteration of files to frustrate a subject access request.
The ‘re-identification of de-identified personal data’ is another new offence to cover activity where depersonalised personal data is reverse engineered to allow it to identify individuals for exploitation. Again, it is important to train staff that this is something they must not do and ensure that audit trails will report unusual activity around a depersonalised dataset.
Reintroduction of registration requirement to allow the Information Commissioner’s Office to continue to collect fees. Until a formal announcement is made, organisations should continue to register for data protection and renew existing registrations.