On 7 August, the government issued a "statement of intent" in relation to the Data Protection Bill which will implement the much heralded EU General Data Protection Regulation (GDPR) due to come into effect on 25 May 2018, and replace the current Data Protection Act in the UK.

So far, there has been a lot of uncertainty in relation to GDPR, in terms of exactly what it will look like in the UK, and the extent to which the key concepts that we are used to in the UK from the Data Protection Act will be retained. Further information on this has been expected from the government following the announcement in June of its plans to introduce a new Data Protection Bill.

The government's position, what we can expect, and when

The government has yet to announce precisely when the draft replacement for the current Data Protection Act will be published, but it may be as early as September 2017.

The government's statement of intent clarifies that the new law will replace the existing UK data protection laws, but offers reassurance that the new regime will be implemented in a way that, as far as possible, preserves the existing data protection concepts we are used to in the UK.

The statement of intent sets out the government's objectives which include maintaining public trust and confidence in the processing of personal data and the ability to transfer data across international borders. The new law aims to provide continuity of data protection standards following Brexit.

Under the new data protection regime, the Information Commissioner will retain existing powers and gain additional authority to impose greater sanctions for data breaches. Fines of up to £17 million or 4% of global turnover could be imposed - currently, the maximum fine that can be issued is £0.5 million. The new law will create two new criminal offences, of intentionally or recklessly re-identifying individuals from anonymised data and of altering records with the intention of preventing disclosure of that information following a subject access request. These offences will incur unlimited fines and may be 'reportable' offences, ie they may be included on a criminal record check.

The GDPR will enhance existing data protection rights for individuals, including in relation to consent, access to data and the right to be forgotten. However, organisations will also welcome the news that the government intends to retain some of the current UK exemptions and derogations (which are essentially what businesses use to enable them to process personal data), subject of course to some necessary adjustments to match up with the GDPR.

In particular, the statement of intent outlines certain "notable" derogations that will be retained from the current law including:

  • preserving the current approach to the treatment of criminal offence data, so that organisations can process criminal convictions and offences data;
  • allowing the use of automated decision making provided that individuals can request that processing is reviewed by a person rather than a machine.

What this means for employers

There is more detail that businesses are waiting for - the statement does not provide significantly new or different information than is in the GDPR, and leaves many questions unanswered and ongoing uncertainty for businesses.

However, there is no doubt that the GDPR is tightening up the way in which data can be processed, and the exemptions and derogations in the UK law will need to reflect this – as will the data protection policies of UK businesses. For example, we will not see businesses being able to use consent in the same general and wide way as they are currently. From an HR perspective, the current exemption of processing because of "necessity" will be used far more widely.

So we know change is coming. And the increased potential sanctions mean that businesses do need to take these changes and their management seriously.

What can we do to help?

We are working with companies to review the GDPR, and the planning which companies have in place to deal with its implementation. We can assist in relation to considering the planning that you should be putting in place, and the elements that you need to review to get you in a good position to deal with GDPR.

We will shortly be publishing an updated guide outlining the key steps organisations should be taking to prepare for the change in the law from an HR perspective. In addition, as soon as possible after the Bill is published in September, we will be holding a telephone conference briefing for our clients to run through the key practical implications of the proposed new law from an HR perspective. This will be of interest to HR Directors and managers, compliance and in house counsel.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.