The General Data Protection Regulation will automatically apply to businesses operating in the UK from May 2018. When the UK leaves the EU, it will, as far as we know, remain part of the UK legislative landscape through the implementation of the EU Withdrawal Act, which is currently working its way through parliament.

So why then has the Government introduced a new draft Data Protection Bill (DPB)? What do UK businesses need to know?

1. A universal regime: The GDPR currently does not cover all areas of personal data processing. For example, the GDPR explicitly does not apply to law enforcement agencies. The DPB seeks to apply the GDPR to all those areas excluded under the GDPR (other than processing for personal reasons) – the end result will be one regime that applies across the board
2. One rule for all: The DPB implements the EU’s law enforcement directive into UK law and ensures that a data protection regime along the lines of the GDPR will apply to all (including the intelligence services)
3. Harmonised data protection: Despite the fact that the GDPR is intended to implement one harmonised data protection regime across the EU without the need for further legislation, it nevertheless does allow member states some latitude in some specific areas. For example, grounds for processing special categories of data (what used to be called ‘sensitive personal data’), in addition to those already in the GDPR, can be set by member states. The DPB therefore uses this discretion and ‘fills in the gaps’
4. Brexit-proof: Whilst the DPB doesn’t implement the GDPR itself into UK law, it does seek to ‘Brexit-proof’ the GDPR. On Brexit, the GDPR will be incorporated into UK law through the mechanism outlined in the EU Withdrawal Act – but the DPB makes adjustments to the terminology in the GDPR, so that it will work under UK law. For example, references to ‘member states’ will be changed to ‘the UK’
5. Children: The age at which children can give valid consent in relation to ‘information services’ (such as online banking and social media) is 13 or above. Verified parental consent will now be required for children under 13 wanting to sign up for such services
6. Taxes and research: Currently the UK has discretion to make exemptions from the GDPR - the DPB seeks to replicate these for the most part. For example, the processing for crime and taxation purposes and the performance of functions of regulatory bodies regarding research, historical or statistical information, meaning that it remains very similar to the current position (under the 1998 Act)

When will it come into force?

It is unclear when the DPB will come into force as it requires an order by the appropriate Secretary of State. However, it would make sense that it happens at the same time as the GDPR itself comes into force on 25 May 2018.

The draft for the DPB is still going through parliament (it has just had its second reading in the House of Lords and now goes into the committee stage). So it is possible that there may be some changes in the DPB during this process. However, most commentators agree that, the approach does make sense and where possible, the government has sought to replicate the various positions and requirements of current law as far as possible.

Piers Clayden is the founder of Clayden Law, a legal firm specialising in IT, data privacy and cyber security. Clayden has contributed to the recently launched GDPR e-learning course from CIM, in collaboration with MeLearning. For further information on CIM's digital training solutions for GDPR, visit our GDPR webpage.