On 7th August 2017, the UK Government published a Statement of Intent (SoI) in relation to a new Data Protection Act. The Bill will be published in September and the Act must be in force by 25th May 2018.
The purpose of the Act is to import into domestic law the EU General Data Protection Regulation (GDPR) and the EU Data Protection Law Enforcement Directive (DPLED) which replace the 1995 Framework Directive. Despite Brexit, the UK is committed to importing the Directives into domestic law – not to do so would create fundamental, if not insuperable, problems for businesses, regulators and law enforcement agencies.
What the SoI tells us about the Bill
The Government states that the Bill will introduce:
- A requirement that any organisation that processes or stores ‘large amounts of personal data’ creates the role of Data Protection Officer (DPO) to: advise data controllers on data issues; handle complaints; and, ensure compliance with the DPLED.
- A more prescriptive logging requirement for automated processing systems that operate the collection, alteration, consultation, disclosure, combination and erasure of data, to ensure that a full audit trail can be made available.
- Clarity for international data transfers to ensure that critical data sharing can be effective.
The following changes will be made to the data protection enforcement regime under the auspices of a ‘tough regulator’. The Information Commissioner’s Office (ICO) will be empowered to take the following actions:
- Investigative powers – the ICO will continue to have the ability to request information from data controllers and processors, enter and inspect premises, carry out audits and require improvements.
- Civil sanctions – currently, the maximum fine the ICO can issue is £500,000. Larger fines of up to £17m (€20m) or 4% of global turnover will be permitted, enabling the ICO ‘to respond in a proportionate manner to the most serious data breaches’.
- Criminal sanctions – the ICO or the CPS will continue to prosecute. The most serious offences will become recordable. Offences will be ‘modernised’ to ensure that prosecutions continue to be effective. There will be new offences to deal with ‘emerging threats’.
In particular, the Government promises to:
- Create a new offence of intentionally or recklessly re-identifying individuals from anonymised or pseudonymised, for example key-coded, data. Individuals who knowingly handle or process such data will also be guilty of an offence. The maximum penalty is likely to be an unlimited fine.
- Create a new offence of altering records with intent to prevent disclosure following a subject access request. The maximum penalty is likely to be an unlimited fine.
- Widen the existing offence of unlawfully obtaining data – to capture those who retain data against the wishes of the data subject, even if such data was, initially, lawfully obtained.
- Offer protection to journalists and whistleblowers, through exemptions in certain clearly defined circumstances
As with the DPA 1998, the GDPR applies to ‘personal data’. Personal data is currently defined as data which relate to a living individual who can be identified from it, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller.
However, the GDPR’s definition is more detailed and makes clear that information such as an online identifier, for example an IP address, can itself be personal data. The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This is wider than the DPA 1998 definition and could include chronologically ordered sets of manual records containing personal data. Personal data that has been pseudonymised can fall within the scope of the GDPR depending on how difficult it is to attribute a pseudonym to a particular individual.
Sensitive personal data
The GDPR refers to sensitive personal data as ‘special categories of personal data’. These categories are broadly the same as those in the DPA 1998, but there are some changes. For example, the special categories specifically include genetic data and biometric data (where processed in such a way as uniquely to identify an individual). Personal data relating to criminal convictions and offences are not included, but additional safeguards apply to the processing of such data.
What businesses can do to prepare for change
Different rules apply to organisations with more than 250 employees but, in essence, organisations must:
- Implement appropriate technical and organisational measures to ensure, and demonstrate, compliance. Such measures may include internal data protection policies such as staff training, internal audits of processing activities and reviews of internal HR policies.
- Maintain relevant documentation on processing activities.
- Conduct data protection impact assessments, where appropriate.
- Appoint a data protection officer, where appropriate.
- Implement measures that meet the principles of ‘data protection by design’ and ‘data protection by default’. Such measures could include:
- Data minimisation
- Data pseudonymisation
- Enhancing transparency
- Allowing individuals to monitor data processing
- Creating, monitoring and improving security features
- Adopt and adhere to approved codes of conduct and/or certification schemes.
Response to the Pre-Legislative Consultation
In May 2017, the Government received 324 responses to their ‘Call for Views’ on the implementation of the GDPR.
The Law Society and the General Council of the Bar expressed a number of concerns in relation to:
- a significant erosion of legal professional privilege
- difficulties in deploying material for the purpose of mitigation in court
- difficulties in deploying third party criminal convictions in court
- the practical impossibility of obtaining consent for processing data from: former clients; and, current clients who are minors or are mentally incapable of providing consent
- the status of individual barristers as DPOs
- the possible need for a ‘Chambers DPO’
The General Medical Council informed the Government that the GDPR raises problems with:
- the level of penalties for public authorities
- the stymying of research – much of the GMC’s research relies on having a complete cohort in the dataset – if individuals could opt out in significant numbers or prevent the processing, this would reduce the value of the data or make it unusable
- the outsourcing of data processing and the reality of ‘Joint Data Controllers’
The Gambling Commission identified the following problems:
- the mechanism by which businesses and organisations exchange information for the purpose of ensuring betting integrity may be compromised
- ‘the right to erasure’ conflicts with the socially important principle of ‘self-exclusion’ as a mechanism for consumers to control their gambling
- the right to erasure may raise a conflict with anti-money laundering compliance requirements in relation to enhanced due diligence records
It remains to be seen whether, and if so how, the UK Government proposes to deal with those issues and others raised by commercial organisations and NGOs.
On 1st December 2016, the EU announced the creation of the EU-US data protection ‘Umbrella Agreement’ which put in place a comprehensive high-level data protection framework for EU-US law enforcement cooperation. Its commercial equivalent – the EU-US ‘Privacy Shield’ – remains contested and its implementation will be reviewed alongside the domestic implementation of the GDPR.
While the features of a new UK Data Protection Act are emerging from the GDPR, the detail, and much that is important for UK businesses, remains obscure. The Government of the Netherlands has opted to set the maximum level of fine for ‘egregious’ breaches of their new domestic criminal offences at 10% of global turnover. It remains to be seen whether the UK’s tough new enforcement regime will be as tough as it claims or might yet be tougher still.