By now business should be well aware that The General Data Protection Regulation (GDPR) is coming into force on 25 May 2018. It has direct effect across all EU member states and organisations must comply with its requirements.
However, the GDPR does not cover all of our data protection requirements on a national level but it does allow limited opportunities to member states to make provisions for how it applies in their country.
The ICO has confirmed that the Bill will not transpose the GDPR into UK law, before or after the day the UK leaves the EU. The government plans to achieve this through the European Union (Withdrawal) Bill (after its adoption as an Act).
Once the UK leaves the EU, the Bill will help ensure that the standards of the GDPR are enshrined in UK law.
What is the purpose?
It is intended to provide a comprehensive package to protect personal data. It will supplement the GDPR, implement the EU Law Enforcement Directive, as well as extend data protection laws to areas which are not covered by the GDPR. It applies GDPR standards but it has been amended to adjust those that would not work in the national context.
The Bill also increases the maximum level of fines in the UK so that it is consistent with the GDPR. The Bill also adds to and modernises many of the offences currently contained within the Data Protection Act 1998.
What does it cover?
The Bill seeks to introduce four distinct data protection regimes into UK Data Protection law. Each regime focuses on the regulation of personal data processing for a specific type or category of data processing. The four regimes cover processing:
- Within the scope of the GDPR;
- Outside the scope of the GDPR;
- By competent authorities for law enforcement purposes; and
- By the intelligence services.
It’s likely that most organisations will be concerned with only the two ‘general processing’ regimes as mentioned in bullet point a) and b) above. The other two regimes apply to a limited group of controllers: law enforcement ‘competent authorities’ and the intelligence services.
When does it come into force?
The ICO introduction to the Data Protection Bill states that the Bill should be ready to take effect in May when these EU laws take effect.