Government outlines detail of new UK data protection laws

In a statement of intent (30 page / 952KB PDF) the government set out its plans for the legislation, which is yet to be introduced to parliament.

Much of the planned legislation follows the lead of the GDPR, which comes into effect on 25 May 2018, but the proposals include elements which an expert said would provide comfort to businesses.

Notably the legislation will include two derogations from the GDPR aimed at providing continuity within the UK. The GDPR only permits bodies with “official authority”, such as the police, to process personal data on criminal convictions or offences, although EU member states can legislate to enable other bodies to process this data.

The government said it would seek to preserve continuity with current domestic legislation by allowing other organisations to process such data in specific circumstances.

Another derogation from the GDPR will involve legislation to enable the processing of data by automated means. The GDPR says an individual has the right not to be the subject of automated decision-making, but the UK government said some legitimate functions – such as a credit reference check at a bank – are dependent on automated decision-making and should be allowed.

It will legislate to allow automated data processing but individuals will have the right to challenge decisions made as a result.

Data protection expert Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said the announcement provided some certainty to businesses about the way they should handle customers' data.

"These derogations will be welcomed by business, particularly the financial services sector, and will not unduly prejudice the privacy of individuals – they are important for the prevention and detection of crime, as well as economic wellbeing of the country," Wynn said.

However she said businesses would be waiting for more detail from the Data Protection Bill when it was finally published.

"The statement of intent is still light on detail," Wynn said. "There's not much that is new or different from the GDPR. It is a step in the right direction, but it's not a big enough step forward."

Wynn said the GDPR will have direct application to the UK for a period of time while the arrangements for leaving the European Union are finalised. She said the government appeared to be seeking to implement data protection legislation which would still be applicable whatever the final deal over the withdrawal from the EU looked like.

"It's clear that they're trying to put forward something which will work both pre-Brexit and post-Brexit," said Wynn. "If the government manage to achieve this, it will be a welcome relief for organisations knowing that measures that are being put in place now for GDPR won't have to be undone post Brexit."

The proposed legislation will also give individuals the right to be forgotten and have personal data removed. Meanwhile data protection regulator, the Information Commissioner’s Office, will also be given more power to defend consumer interests and issue higher fines, of up to £17 million or 4% of global turnover, in cases of the most serious data breaches.