The new Data Protection Bill was published yesterday, and it is not without excitement that data protection experts are expecting to read through the complete text. In the interim, the scenario described by Her Majesty the Queen during the Queen's Speech in June, and by the government in both their statement of intent and paper released in August, is now completed by the Data Protection Bill Overview that can be found on the government's website.
The overview document of the Data Protection Bill reaffirms that the government's position is to maintain the GDPR standards. This will help the UK to be recognised by the European Commission as providing an adequate level of protection, in order to facilitate the international transfers of personal data without the need to put alternative mechanisms like model clauses in place.
The Bill will be the UK's complete data protection system
It is well known that the GDPR will apply irrespective of Brexit. In addition, the Bill will introduce a regime covering not only the general provisions stated in the GDPR, but also understanding the importance of cyber security, and introducing additional exemptions along with law enforcement and national security data provisions.
Exemptions - The Bill aims to preserve existing tailored exemptions that we are already applying within our businesses. This means that exemptions related to financial services, journalism, research and legal services, amongst others, may not be derogated. This is certainly something that will be very welcome for many organisations. For example, the use of data for research purposes has been increasing over the years. To use data for this purpose, organisations currently are able to rely on Section 33 of the Data Protection Act 1998 (the DPA), where if certain conditions are met (if personal data 'is not processed to support measures of decisions with respect to individuals, and if it is not processed in a way that substantial damage or distress is, or is likely to be, caused to any data subject'), it is allowed to reuse the data for as long as the research project needs, and to share it with other parties involved in the project for this purpose. In addition, the Data Protection (Processing of Sensitive Personal Data) Order 2000 introduced a condition for processing sensitive personal data for research purposes, provided that the above conditions are addressed, and if it is in the public interest.
Law enforcement - The law enforcement regime will be a bespoke one to allow the police, prosecutors and other criminal justice agencies to internationally process data, but also protecting the rights of victims, witnesses and suspects, thus complying with Article 8 of the Human Rights Act 1998.
National security - A framework will be provided to enhance the mechanisms in place for national security reasons, including restrictions on rights to access and delete data where necessary, and ensuring that the laws governing the processing of personal data by intelligence services are modern enough to face emerging national security threats.
What can organisations expect?
Any businesses processing personal data need to focus on meeting the GDPR requirements as a starting point. They must also remember that it is likely that the current processing of personal data, based on UK exemptions, will remain on a similar basis - although perhaps even more modern.
The culture surrounding privacy, cyber security and personal data is changing as a whole and organisations should envisage this scheme as an evolving, refreshing project, rather than a compliance burden. Personally, the way I see it is similar to a person debating between doing a quick 'lose-five-pounds-in-two-days-but-put-ten-on-right-afterwards' diet, or changing their eating habits. We all know what brings more benefits in a long term period; and it is worth it.
Rocio De La Cruz is principal associate at Gowling WLG
Kicking Palantir off of AWS is among their demands, too
Rafaela Vasquez was watching The Voice at the time of the crash, new evidence shows
PUBG price slashed on Steam after selling more than 50 million copies - as daily player numbers plunge
Use the same password for every website? It might be time to change them all