As we draw nearer to the end of the year and we enter the last stretch to the GDPR compliance deadline, the UK has recently announced its own bill on data protection has entered Parliament for assessment. With two data protection regulations on the table though, which one are UK companies supposed to follow? Can they escape the scourge of the GDPR or will more requirements be added to their already full plate? Let’s take a closer look!
What is the UK Data Protection Bill?
The first draft of the UK Data Protection Bill was made public on 14 September 2017, after it passed its second reading in the House of Lords. Its aim is to modernize data protection laws in the UK for the 21st century, give people more control over their data, and provide them with new rights to move or delete personal data. It will be replacing the now outdated Data Protection Act 1998.
Its stipulations align themselves to the EU’s new General Data Protection Regulation (GDPR) which the UK, although it has triggered article 50 of the Lisbon Treaty which signals its impending retreat from the EU, must still be compliant with for the remainder of its stay in the Union. In other words, for the two years it will take to negotiate its exit, the UK will still be classed as a member state in regards to the GDPR.
The Bill’s close alignment to the GDPR is hoped to provide uninterrupted data flows between the UK and the EU post-Brexit. Although its status will become that of a third-country in regards to EU data protection, with the Data Protection Bill finely tuned to the requirements of the GDPR, the UK is bound to be marked as adequate for cross-border transfers by the European Commission and thus ensure that its businesses dealing with European clients will continue to be GDPR-compliant.
A closer look at the UK Data Protection Bill
The GDPR, while including many iron-clad stipulations relating to general data processing standards, allows room for interpretation at national level in the case of others. The UK Data Protection Bill aims to clarify these provisions by giving a UK context to concepts enunciated in the GDPR. It regulates, for example, the relationship between the data controller and data processor by outlining the expectations and requirements of both parties.
The Bill will also be used to implement the EU’s Law Enforcement Directive, that, while separate from the GDPR, is part of the EU’s data protection reform framework. It details the regulations for the processing of personal data by the police, prosecutors and other criminal justice agencies for law enforcement purposes.
Issues pertaining to data protection in regards to national security, which falls outside the scope of EU Law, are likewise listed in the bill. These will ensure that personal data processing by intelligence services is also modernized and adheres to international standards, with the appropriate safeguards to ensure they can continue to deal with existing, new and emerging national security threats.
Furthermore, the Bill sets down the rules that will govern the regulation and enforcement of the new data protection legislation. In the UK, it will fall under the jurisdiction of the Information Commissioner’s Office (ICO) and, in agreement with the stipulations of the GDPR, levy fines on data controllers and processors for serious data breaches of up to £17 million or 4% of global turnover, whichever is higher.
In conclusion, it seems that the UK Data Protection Bill will act more as support to the GDPR rather than a hindrance, by clarifying requirements for UK companies and ensuring their long-term compliance to EU data protection standards, in hopes of a smooth transition after its departure from the EU. Through it, the UK is clearly thinking ahead and trying to minimize the impact of its looming exit on its digital economy.
The good news is that UK companies looking to be compliant with the new bill can easily invest in Data Loss Prevention (DLP) solutions such as Endpoint Protector and benefit from predefined GDPR profiles that block the transfer of sensitive information, screen entire networks for personal data and delete or encrypt if it is found on unauthorized users’ endpoints. A decisive first step towards compliance can thus be taken.
The UK Data Protection Bill is currently under committee review in the House of Lords and will have to pass a 3rd reading before the debate moves to the House of Commons. The hopes are that it will be approved and implemented ahead of the GDPR, that will come into effect on 25 May 2018.
You might also find interesting our: GDPR Infographic – Checklist and essentials
Download our free ebook on
A comprehensive guide for all businesses on how to ensure GDPR compliance and how Endpoint Protector DLP can help in the process.