GDPR implementation: The Government’s Statement of Intent

Jonathan Moore, Bevan Brittan

On 7 August 2017, the UK Government released a Statement of Intent which provides us with a useful indication of what will appear in its Data Protection Bill. We have not yet seen a draft copy of the Bill but its statement does reveal some important titbits on how the UK will implement the General Data Protection Regulation (GDPR). As has been well publicised, the GDPR will come into force across the EU, including the UK, on 25 May 2018.

The key takeaways from the statement included:

Sanctions

We already knew that once the GPDR comes into force, the maximum fine which the Information Commissioner’s Office can impose will increase from £500,000 to £17,000,000 (or 4% of the organisation’s global turnover if higher).

The Statement of Intent confirms the Government’s support for the increased sanctions which it considers will be high enough to make sure breaching data protection legislation won’t be profitable and will allow “the ICO to respond in a proportionate manner to the most serious data breaches”.

Perhaps this is an indication that, just because the ICO will have the power to respond proportionately to very serious breaches, it won’t necessarily increase the fines it already administers for more typical data breaches. We will have to wait and see.

Protecting children and the age of consent

One of the key themes of the GDPR is enhanced online protection for children and the Government will make this one of its top priorities in the new Bill.

The GDPR gives member states some flexibility in determining the age at which children can give their consent for the use of their personal data. The Government has confirmed that children as young as 13 years old will be able to give their own consent which is the youngest age permitted by the GDPR. Parents or guardians will be need to provide consent to use the personal data for those 12 and under.

The accessibility of criminal records

Under the GDPR only bodies with the requisite official authority will be able to use personal data relating to criminal convictions and offences. The GDPR does include a derogation which allows member states to expand the use of such data of which the UK intends to take advantage. The Statement of Intent confirms that prospective employers, for example, will still be able to carry criminal record checks for potential employees even after the GDPR comes into effect.

Free media

The Data Protection Act 1998 exempts journalists from certain data protection obligations. The intention of the exemption is to ensure that the freedom of the press is preserved.

The Statement of Intent confirms that the Government is satisfied that the existing exemption strikes the right balance between protecting individuals’ data protection rights and maintaining a free press and it intends to incorporate the existing exemption into the new Bill.

Automated decision making

The GDPR will give individuals the right not to be the subject of a decision which has been made automatically and without any human intervention (e.g. a decision which has been made solely by a computer).

The Government considers that there will be times when such decision making is necessary, such as credit checks. Accordingly, the Government intends to rely on another exemption in the GDPR which permits such automated decision making as long as suitable measures are in place to safeguard individual’s rights, freedoms and legitimate interests.

The Statement of Intent is a useful indication of what the Data Protection Bill may look like but the devil will no doubt be in the detail. We will have to wait for the publication of the first draft Bill before we start to form a complete picture of the future of data protection in the UK.

Events

Click here for more events