On 7 August 2017, the British Government announced a new Data Protection Bill that will bring the EU’s General Data Protection Regulations (GDPR) into UK law, and will set out the post-Brexit position on data protection law. Mr Hancock, the Digital Minister, believes the new Data Protection Bill will give Britain one of the “most robust, yet dynamic” set of data laws in the world. With organisations in the UK and across the EEA already preparing for the biggest overhaul in data protection laws for decades with the introduction of the GDPR, how does the new Bill differ?

Not very much really… UK news coverage of the new Bill seems to suggest that “the right to be forgotten” is a dramatically new concept within data protection, however this, and much of the provisions highlighted by the Government merely implement the GDPR. For example, the Bill gives the Information Commissioner’s Office (ICO), the ability to issue higher fines, of up to £17m or 4% of global turnover in cases of the most serious data breaches – the same position adopted in the GDPR.

Nevertheless, there are some subtle differences e.g. the right to be forgotten will be extended to allow people to ask social media channels to delete information they posted in their childhood.

One notable feature of the new Bill is the creation of two new criminal offences, which could have unlimited fines:

  • the first offence makes it illegal to intentionally or recklessly re-identify people from anonymised data; and
  • the second makes organisations criminally liable if they are found to be tampering with data that has been requested by an individual.

So overall the new Bill is good news for organisations preparing for the GDPR – though those hoping to escape Brussels lawmakers will be sorely disappointed. Ultimately, the main aim is to ensure that data can continue to flow uninterrupted between the UK and EU after Brexit when the UK will be classed as a “third country” by the EU. The new Bill further emphasises the need for organisations in the UK to prepare for GDPR, because come Brexit time, things are not going to change…