The Government has published the long-awaited Data Protection Bill that will incorporate most of the provisions set out in the EU General Data Protection Regulation. This will apply from 25 May 2018, and many businesses will need to update their data security arrangements to comply with the new regulations.

  • The Bill will introduce safeguards to prevent and detect fraud, protect the freedom of the press, allow scientific research and maintain the integrity of professional sports
  • Specifically include measures to allow action against terrorist financing, money laundering and child abuse
  • Processing done for legitimate interests will be allowed if it achieves a balance with individuals’ rights

With individual data rights being strengthened, it is the Government’s view that, as far as possible, existing lawful data processing should be allowed to continue. Consequently, the Bill assures specific UK businesses and organisations the vital data processing they undertake for legal or public interest reasons can continue uninterrupted.

It will preserve existing tailored exemptions that have worked well in the Data Protection Act 1998, carrying them over to the new law.

The Bill will include exemptions for data processing in the following areas:

  • Processing of personal data by journalists for freedom of expression and to expose wrongdoing is to be safeguarded
  • Scientific and historical research organisations such as museums and universities will be exempt from certain obligations which would impair their core functions
  • National bodies responsible for the fight against doping in sport will continue to be able to process data to catch drug cheats
  • In the financial services sector, the pricing of risk or data processing done on suspicion of terrorist financing or money laundering will be protected
  • Where it is justified, the Bill will allow the processing of sensitive and criminal conviction data without consent, including to allow employers to fulfil obligations of employment law

Under the new regulations individuals will have more control over their data by having the right to request that their personal data be erased. This will also mean that people can ask social media channels to delete information they posted in their childhood. The reliance on default opt-out or pre-selected ‘tick boxes’, which are largely ignored, to give consent for organisations to collect personal data will also become a thing of the past.

Businesses will be supported to ensure they are able to manage and secure data properly. The data protection regulator, the Information Commissioner’s Office (ICO), will be given more power to defend consumer interests and issue higher fines, of up to £17 million or 4 per cent of global turnover, in cases of the most serious data breaches.

Data protection rules will also be made clearer for those who handle data but they will be made more accountable for the data they process with the priority on personal privacy rights.