Daradjeet Jagpal looks at the provisions of new legislation set to bring the data protection regime into the 21st century.

The UK government has published a statement of intent, setting out details of the forthcoming Data Protection Bill. The bill will be published next month and will give effect to the EU General Data Protection Regulation (GDPR) in the UK from May 2018.

The statement follows on from the government’s “call for views” in April on how it should implement the permitted exemptions within the GDPR (to which it received 324 responses) and the government’s commitment to introducing the bill in the Queen’s Speech in June.

The digital minister noted that the “Bill will bring our data protection laws up to date…and will both support innovation, and ensure that we can remain assured that our data is safe as we move into a future digital world”. The minister also promised that the new bill “will give us one of the most robust, yet dynamic, set of data laws in the world” that “protect privacy, strengthens rights and empowers individuals to have more control over their personal data”.

The bill will apply to all personal data, not just personal data that falls within areas of EU competence. It will preserve much of the content of the GDPR, although the government has confirmed its intention to apply exemptions from the GDPR, two of which will make the bill more palatable to business.

The first of these allows organisations other than the police to process personal data on criminal convictions and offences. The second concerns automated data processing. The GDPR gives individuals the right not to be subject to automated decision-making, but there are certain sectors, including financial services, that rely heavily on this type of data processing. The bill will permit automated data processing, but individuals will have the right to challenge any resulting decisions and request human intervention. The bill will repeal and replace the existing law, the Data Protection Act 1998, in its entirety.

Some of the key features of the bill will include:

While the statement represents an important milestone in the current process of data protection reform and confirms that work on the content of the data protection bill is already underway and is in its advanced stages, it should be noted that it is only a statement of the government’s intention to introduce legislation making specific provisions as to the law. Those looking for a more concrete steer are advised to wait for the bill.

However, that is not to suggest that organisations can rest in blissful ignorance in the meantime. The GDPR represents, as the ICO refers to it, “the biggest change to data protection law for a generation”, and organisations should begin their preparations now to ensure that their data processing practices, policies, procedures and data security meet the higher standards contained within the GDPR. Indeed, if the bill does not receive Royal Assent and does not come into force on or before 25 May 2018, then the Regulation will be directly applicable from that date, and there will be no grace period – or mercy from the ICO – for or towards organisations that fail to comply from day zero.