I touched on the history of data protection in the UK and the key differences between the existing regime (arising from the Data Protection Act 1998) and the likely position beyond May 2018. I went on to suggest some practical steps to be taken in readiness.
I also mentioned that even though the GDPR will have a direct effect in the UK from May 2018, the UK government nonetheless intended to publish a Data Protection Bill in the coming weeks. The good parliamentary draftsmen and women have been working hard behind the scenes and as promised, on 13 September 2017 the new bill received its first reading in the House of Lords. The full text in PDF format can be found here and stretches to over 200 pages.
The bill contains seven parts, covering the general processing of data, processing by law enforcement and the intelligence services, the role of the Information Commissioner and the enforcement system.
Given the need to draft legislation future-proofed for post-Brexit Britain, the bill imports the already directly effective GDPR “as if its Articles were part of an Act extending to England and Wales, Scotland and Northern Ireland”. The desire to create a freestanding UK Act of Parliament makes for a slightly unwieldy read at times, but as a whole, the two are neatly sewn together.
Importantly the bill explores in depth the available derogations (many of which were hard won) and the various extensions which will apply in the UK only.
The Data Protection Bill will now go through a number of readings in both Houses of Parliament before receiving royal assent. The next, and first true test will come with its second reading in the House of Lords on 10 October 2017.
Although we won’t know the final form of the Data Protection Act for some time, we now have a much better understanding of what the data protection landscape in the UK will look like, perhaps for another two decades.
Over the coming weeks and months, this should give business a head start on implementing protocols, procedures and a genuinely reformed way of operating that will be consistent with both the GDPR and the new Data Protection Act.
Christopher Burt (email@example.com)
This is intended for general information only and should not be considered as giving advice in relation to any individual case nor be taken as applying to any individual case. No liability is accepted for any use of the information contained in this blog post.