The U.K.'s New Data Protection Bill

View Jamie Witton’s LinkedIn profile View Jamie Witton’s profile

This morning the Minister of State for Digital, Matt Hancock, released a statement of intent for the UK’s new Data Protection Bill. The Bill has already been through a consulting phase and the Minister has set the Bill’s scheduled implementation date for May 2018, clearly aiming to coincide with the 25 May 2018 implementation date of the EU’s General Data Protection Regulation (GDPR).

Accompanied by a YouTube video and a press release, the statement of intent quickly garnered interest across the news and media - it’s certainly positive to see that data protection matters really are at the forefront of the minds of both consumers and businesses at present as we prepare to go through the biggest changes to these laws in the last 20 years. The Minister rightly wants these new “dynamic” data protection laws to protect the UK’s burgeoning data industry.

The summary highlights consumer concerns about the right to be forgotten, particularly on social media platforms, and stresses that the Bill will improve consumer rights here.  In addition, the Bill will ensure that there are “tougher rules” on the data subject’s right to access, move and delete personal data. 

Some further highlights:

  • The definition of ‘personal data’ will include DNA, IP addresses and internet cookies as a matter of fact;
  • The Information Commissioner’s Office will be granted increased powers to “defend consumer interests” and issue penalties for infractions equivalent to GDPR standards;
  • Consent will be brought up to the high standards stipulated by the GDPR; and
  • There are new criminal consequences for organisations which “either intentionally or recklessly” enable a data subject to be identified from anonymised data.

These points aren’t surprising given the evident desire to show the EU that the UK will have equivalent data protection standards following Brexit; the aim being to ensure that data flows from the EU to the UK continue unhindered following the UK’s exit from the EU.  The introduction of a new criminal offence is also an example of the UK continuing to take this matter seriously, operating at the leading edge of enforcement action for data protection offences.

Perhaps interestingly, in his YouTube video the Minister finished his wrap up of the tougher rules articulated above by saying “and the Bill will bring EU law into UK law…”, with added emphasis, suggesting the Minister is serious about ensuring that UK data protection law meets the requirements of the GDPR.  This will be a welcome stance for U.K. organisations, who are looking for certainty on the way ahead and for a level playing field with Europe.

As more information becomes available, PwC will bring you further updates via our blog.  You can read the full 25 page statement of intent on the website here.