The Government has this week issued a Statement of Intent (accessible here) setting out its plans for a new Data Protection Bill. Once implemented, the Bill will overhaul the data protection regime in the UK. The Statement acknowledges that the EU General Data Protection Regulation (GDPR) will have direct effect in the United Kingdom until Brexit. It also provides some detail about how the UK will approach local law derogations that are permitted under the GDPR.
The Minister of State for Digital, Matt Hancock MP, refers to the ‘gold standard’ of data protection laws in the UK. He also emphasises the UK’s desire to continue this gold standard and to move forward in a way which ensures that the transition once the UK leaves the EU is as smooth as possible for all, while complying with the GDPR and other relevant EU directives in full.
The Statement echoes key principles under the GDPR, such as:
(See further details on the GDPR here). The civil sanctions referred to in the Statement also compare, with the ICO to be given powers to levy fines of up to £17 million (€20 million) or 4% of global turnover.
The Statement refers to some areas where the UK will go further than the requirements of the GDPR or exercise derogations which are provided for under the GDPR. These include:
Both of these sanctions carry maximum penalties of an unlimited fine.
It is reported that the Government is expected to publish the text of the Bill in early September.
In the meantime, businesses should continue to prepare for the GDPR, but bear in mind that their GDPR policies and procedures may need to be re-visited once the Bill is issued and becomes law.
+44 (0)118 402 3833