The UK's new Data Protection Bill, published today, contains exemptions carried over from the existing Data Protection Act, the government has revealed.
The Bill will transpose the European Union's General Data Protection Regulation (GDPR) into UK law, post-Brexit. The measure is necessary as the GDPR is a centralised Regulation that therefore won't apply to the UK when it formally leaves the EU.
In order to ensure a smooth switch, therefore, the UK needs equivilant legislation in place before Brexit. A directive, in contrast, requires legislation to be passed in member states' legislatures.
Existing exemptions that ‘have worked well' in the Data Protection Act - which will be replaced by the new Bill - will carry over to the new law, the government has said in a proposal. These professions include journalism, financial services and research institutions.
The intent behind the proposal is ‘to ensure that UK businesses and organisations can continue to support world leading research, financial services, journalism and legal services,' the government said in its latest update.
Workers in several key fields who need to handle sensitive personal data without the owner's consent would be protected by the exemptions, including:
- Anti-doping agencies in sports, trying to catch drug cheats;
- Journalists who must access personal data ‘for freedom of expression and to expose wrongdoing';
- Research institutions, such as museums and universities;
- Financial services firms that price risk or process data on suspicion of terrorist financing or money laundering; and,
- Employees who access data with a justifiable reason but without consent, to fulfil obligations of employment law.
Enacting GDPR equivalency
The Data Protection Bill is intended to bring UK law in line with the General Data Protection Regulation. Both come into effect in May 2018, with the intent of giving consumers more control over their personal data and punishing companies that mishandle it; the maximum fine for a breach is four per cent of global turnover, or £17m (whichever is higher). Under current law, the maximum fine is just £500,000, with a 20 per cent discount for early payment.
Greg Day, vice president and chief security officer EMEA at Palo Alto Networks, told Computing: "The publishing of the Data Protection Bill today gives the country's business and cybersecurity leadership the clear certainty and direction on data security they've been seeking.
"How the government is implementing GDPR so thoroughly, as well as taking this opportunity to adjust domestic law to ensure clarity of roles and responsibilities for all, shows a real determination to make the UK a true leader in how organisations preserve digital trust and citizens take control about how their personal data is used.
"We look forward to this bill passing through Parliament, and how its measures, once enacted, underpin how the UK continues to build a safe, strong and dynamic digital economy."
A new RSA report urges coders to sign a 'Hippocratic Oath' before embarking on AI programmes.
IT security vendor believes APT33 is working for the Iranian government
Darktrace pushes machine learning to take some of the pressure off of IT and security teams
Google also gets its hands on HTC's IP in a non-exclusive deal