The Government has published its own Data Protection Bill, just ahead of the GDPR coming into force next spring. So what should businesses do now in terms of their own data collection and processing?
As we reported in another post, the Government recently published its Data Protection Bill. It’s intended to put data protection law, which is currently covered by EU legislation, on a domestic basis in preparation for Brexit.
“The introduction of the Data Protection Bill is welcome as it will put in place one of the final pieces of much needed data protection reform,” commented Elizabeth Denham, the Information Commissioner, in a statement released at the same time. “Effective, modern data protection laws with robust safeguards are central to securing the public’s trust and confidence in the use of personal information within the digital economy, the delivery of public services and the fight against crime. I will be providing my own input as necessary during the legislative process.”
However, the publication of the Bill comes at a time when businesses are already gearing up for the General Data Protection Regulation (GDPR) to come into force next May. What is the relationship between the two pieces of legislation – and what do they both mean for businesses?
As you might expect, when it comes to European legislation, Brexit has thrown a spanner in the works. What we can say is that when the GDPR becomes law on 25 May 2018, the UK will still be in the EU, even though it is planning to leave. Once Brexit actually happens, the GDPR may appear in a different light, since the UK will be a ‘third country’ outside the EU, and will no longer have a seat on the European Data Protection Board.
The Data Protection Bill is, effectively, a way for the government to prevent these problems before they arise, by enshrining the GDPR in UK law. Like the GDPR, the Bill is expected to come into force on 25 May 2018, providing continuity during and after Brexit and aiming to make sure that the law will still work once the UK leaves the EU.
If your business or organisation is already preparing for the GDPR, nothing has really changed. All the main rights and obligations are the same, so you should continue with your preparations as before.