The UK's New Data Protection Bill - What Will It Mean For You?

The last two years have been challenging ones for organizations that do business in the UK. Last spring, when the UK was still part of the EU, the European Parliament adopted the General Data Protection Regulation, marking a fundamental shift in Europe's rules for collecting and processing personal data. Just two months later, UK voters passed the Brexit referendum, leaving companies and individuals in confusion as to which data protection laws would apply.

Now, with the recently-announced Data Protection Bill, the UK government is taking steps to define the country's post-Brexit approach to data protection. As expected, the new law will implement most of the GDPR's provisions regarding individual rights and corporate responsibilities. However, the UK will deviate from the GDPR in at least a few areas, potentially creating a second set of requirements for companies that operate both in the UK and on the continent.

While the new bill has not yet been introduced into Parliament, it was described in general terms in the Queen's Speech in June, and in more detail in a statement of intent from the Department for Digital, Culture, Media and Sport. If the bill passes and becomes law (as most analysts expect), it will maintain the key provisions of the GDPR in the UK even after the Brexit process is complete.

The UK government's statement of intent, while emphasizing the importance of data protection, outlines several notable departures from the GDPR. Some of these are permitted "derogations" from the EU law, and others are separate provisions that will apply in legal areas not addressed by the GDPR:

  • The age of consent for data processing (meaning the age at which an individual can agree to have his or her personal data collected or processed) will be 13 in the UK, rather than the GDPR threshold age of 16.
  • The UK is planning to implement less restrictive versions of GDPR mandates in areas relating to criminal data, scientific and historic research, and automated decision-making.
  • The Data Protection Bill will establish a separate right for individuals to request deletion of their data from social media platforms once they reach age 18.
  • The new bill will apply data protection rules to all "general data," not only to forms of data that are governed by the EU.

When it adopts the Data Protection Bill, the UK will also formally repeal the Data Protection Act of 1998, which otherwise might create confusion as the GDPR takes effect and the Brexit process continues.

What to do now

If your organization does business in the UK, the recent announcements should at least eliminate any lingering questions about the need to prepare for GDPR compliance. The GDPR's requirements for protecting consumer data against cyber threats, along with its potentially devastating fines for infractions, will apply in the UK before and after the country leaves the EU.

For companies who will operate both in the UK and in the post-Brexit EU, the Data Protection Bill may create the need for separate business processes in different jurisdictions. Organizations should continue to monitor the progress of the new UK bill, along with similar measures that have been introduced in Germany and elsewhere.

Is your organization prepared for the GDPR? PKWARE's Smartcrypt can help you keep sensitive customer data safe and demonstrate compliance with the EU's new data protection law. Find out how today!