The UK Government unveiled its new Data Protection Bill (DPB) in September, the UK equivalent of the EU’s General Data Protection Regulations (GDPR), which will see many of the data protection requirements of GDPR enshrined in UK law. The move was essential following Brexit to ensure we benefit from the modernisation of data protection (the current Data Protection Act (DPA) is now 20 years old) ushered in by the GDPR and to bring our data handling practises in line with the rest of Europe.

The DPB will uphold many of the GDPR requirements and will better protect citizens’ personal data, but it also differs in some respects. The DPB will not support the right to make ‘super complaints’ by privacy groups, for example, but will include an additional clause which allows an individual to request the deletion of all social media data before they turned 18. There will be unlimited fines for data breaches where it has been proven that users have been re-identified from anonymous data or in cases where there has been data tampering. These exceptions aside, the DPB will see the main tenets of the GDPR become law from 25 May 2018. 

Many businesses which are already DPA compliant regard the GDPR as simply a revision of the DPA which will require minimal change on their part. However, there are some crucial difference between the GDPR and the DPA. 

What’s changing

While the DPA uses eight key principles, the GDPR is based upon 99 Articles that tackle data protection in far greater depth and extend citizens’ rights to control data processing. The key differences are that GDPR… 

  • Delineates responsibility for data protection according to role ie data controller (ie company demanding the data), data processor (ie those handling data such as cloud service providers) and Data Protection Officers (DPOs). The DPO is a new introduction. This person is appointed by the controller and processor and oversees compliance
  • Extends protection of Personal Identification data from name, address etc to include web data ie IP addresses and cookies. Other types of data covered include genetic data, biometric data, ethnicity and racial data
  • Introduces more consumer rights. These include the ‘right to be forgotten’ (now referred to as the right to erasure), as well as the right to be informed, right to access data, right to rectification, right to erasure, right to restrict processing, right to data portability, the right to object and the right to automated decision making and profiling
  • Requires Data Protection Impact Assessments (DPIAs) as a form of breach mitigation. These will help organisations identify risk and provide opportunities to reduce vulnerabilities and the steps taken are then documented by these assessments
  • Increases fines from the current £500,000 maximum fine for breaching the current DPA to up to £17m, or 4 per cent of a company’s global turnover. Plus fines are no longer limited to loss of data but can be issued in the event that a breach can be deemed to have led to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data 

Businesses will need to begin to assess and appraise whether they meet the requirements ahead of the deadline. To find out whether your data handling processes are GDPR ready, contact us today or take our quick GDPR Readiness Assessment to establish where you need to focus resource.