Today the UK Government published a Statement of Intent with its plans to bring the General Data Protection Regulation (GDPR) into law. In the Statement of Intent the Government repeats its intention to introduce GDPR despite Brexit and also talks about the creation of new criminal offences to deter organisations from either intentionally or recklessly creating situations where someone could be identified from anonymized data.
Some technical terms are used in this note which are explained in our glossary here – http://www.corderycompliance.com/eu-data-protection-regulation-glossary/
What is the focus?
The focus is on a number of key elements of GDPR including:
The Right to be Forgotten/Right to Erasure
The wide definition of personal data
Free Subject Access Requests (SARs)
We have talked a lot recently about the increasing importance of SARs in our detailed guidance on GDPR. We have also blogged about the importance of the Right to be Forgotten in our review of the last year in data protection here http://www.corderycompliance.com/client-alert-uk-data-protection-regulators-report-shows-likely-gdpr-activity/.
In an accompanying film the Rt Hon Matt Hancock MP, the Minister of State for Digital, said that the Bill will “allow the UK to set the gold standard on data protection”. This is one of a number of somewhat surprising assertions in the package, including the Government’s statement that the Bill will “require ‘explicit’ consent to be necessary for processing sensitive personal data”. This would seem to go further GDPR which does not require consent in every case.
The Statement of Intent is some 30 pages long and we will discuss this in more detail on our next GDPR Navigator call. In the meantime some areas of note are as follows:-
It would seem that in part the driver for the UK Government’s announcement is the need to look at an effective system of data transfer post-Brexit. Our Privacy Shield FAQs (http://www.corderycompliance.com/privacy-shield-faqs/) look at the rising tension with the forthcoming Privacy Shield annual review. The UK is concerned that any UK data protection legislation is regarded as adequate by the EU to avoid the issues that transfers to the US had with the annulment of Safe Harbor and the uncertainties around Privacy Shield. The Statement of Intent looks at this specifically:-
“The ability to transfer data across international borders is crucial to a well functioning economy. We are committed to ensuring that uninterrupted data flows continue between the UK, the EU and other countries around the world. The Data Protection Bill will place us on the front foot in allowing the UK to maximise future data relationships with the EU and elsewhere.”
New criminal offences
Alongside measures to implement GDPR the UK also intends to look at additional criminal sanctions for data misuse. In serious cases the offences will become recordable offences i.e. they will mean that the individual concerned gets a police record which may restrict employment opportunities. Specifically the paper looks at 3 criminal offences:-
A new offence of intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data. Anyone who knowingly processes this data would be guilty of a criminal offence. The maximum penalty would be an unlimited fine.
A new offence of altering records with intent to prevent disclosure following a SAR. This would apply to all data controllers and processors. The maximum penalty would be an unlimited fine in England and Wales – slightly different rules apply in Scotland and Northern Ireland. This shows the increased focus on SARs in the new legislation. We’ve talked a lot about this recently for example in our review in July of the ICO’s Annual Report and in our detailed review of the UK’s new Subject Access Code of Practice http://www.corderycompliance.com/client-alert-uk-data-protection-regulators-report-shows-likely-gdpr-activity/
Widening the existing offence of unlawfully obtaining data to also include people who retain data against the wishes of the data controller (even if they initially obtained it lawfully). The existing offence under s.55 of the Data Protection Act 1998 has been used successfully by the ICO – for example last month a recruitment manager was prosecuted for emailing CVs to an external recruitment firm – https://ico.org.uk/action-weve-taken/enforcement/stuart-franklin/. It is likely that this wider offence will make convictions easier to secure. It may also have consequences for those procuring information from others whilst turning a blind eye to the legality.
There is a brief introduction to GDPR in our film here: www.bit.ly/gdprfilm. There are more details of GDPR’s provisions in our FAQs here: www.bit.ly/gdprfaq. Cordery’s GDPR Navigator includes detailed guidance, films and regular calls discussing these and other GDPR-related topics. You can find out more about GDPR Navigator here: www.bit.ly/gdprnav.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784 Office: +44 (0)207 075 1785