The new UK Data Protection Bill, which was published on September 14, will transfer the GDPR into UK law and replace the existing Data Protection Act 1998. It includes several important provisions that businesses need to know about.
The Data Protection Bill will bring European standards into UK law ahead of Brexit, to ensure that the UK is still in line with the GDPR once the UK leaves the European Union. It will operate ‘in tandem’ with the GDPR until the UK actually leaves, at which point all data protection will be covered by domestic law.
Although the Bill is likely to change as it passes through Parliament, it’s worth getting familiar with its content now, so you can prepare for any changes you need to make.
The Bill will make UK laws on data protection fit for the digital age. More and more data is being collected and processed, and individuals need new ways to control how and when their data is used.
However, even though individual data rights are being strengthened, the Government is aiming to ensure that data processing that is currently lawful, or carried out in the public interest, will be able to continue as before. The new Bill will also include safeguards to prevent fraud, protect the freedom of the press, allow scientific research and maintain the integrity of professional sports.
There are several provisions that are likely to affect employers and HR departments. The Bill preserves some exemptions that are currently made under UK data protection law, such as those covering individuals’ rights to access data on confidential references or management plans (such as plans for collective redundancies).
However, there are also some new requirements, such as the requirement for an ‘appropriate policy document’ when processing ‘special category data’ such as that on health, racial or ethnic origin or religious beliefs, on the grounds that it is required by employment law. Since employers are likely to rely on the ‘employment law’ basis for processing data, they are likely to need a policy document.
Under the GDPR, consumers will gain the ‘right to be forgotten’. They will be able to ask businesses and organisations for access to their personal data, and request that it be wiped or updated. Firms will also have to obtain explicit consent to process sensitive data – in other words, people must opt in, not just fail to opt out.
The UK Bill will add a requirement for social-media platforms to delete all someone’s posts from before they were 18, if they request it.
With the uncertainty surrounding the Brexit negotiations, some firms may have been adopting a ‘wait and see’ policy, in case the GDPR never actually makes it into UK law. With the publication of the Data Protection Bill, it’s clear that the law is coming whatever happens with Brexit. So firms need to start preparing for any necessary changes now.
The key point is that businesses will need to know exactly what data they are storing about people, how to access it and how to edit or erase it if they need to. Firms also need to be sure that they have the proper consent to collect and process data, and know exactly what to do in the event of a data breach.
There is a clear trend for governments to legislate more heavily to protect people’s personal data, so it pays to get ahead of the curve now. At the same time, the media is increasingly shining the spotlight on data breaches, so there’s a significant reputational risk on top of the financial and legal ones. At the very least, firms need to ensure they will be ready for GDPR compliance by 25 May 2018.