The United Kingdom’s Data Protection Bill (DPB) underwent public committee review just as news and discussions on data collection and privacy dominate the headlines. It is U.K.’s response to the European Union’s General Data Protection Regulation (GDPR) and is intended to provide a comprehensive package for organizations to follow, as stated in the introduction of the Bill by the U.K. Information Commissioner’s Office (ICO).
With the U.K. facing two transitions — one imposed by the GDPR and the other by its own exit from the EU (Brexit) — the DPB is meant to provide its citizens and organizations level ground in the middle of these changes. DPB however, is aimed at more than just GDPR compliance before and after U.K. exits the EU — it is also meant to replace and repeal U.K.’s current data protection law, the Data Protection Act of 1998 (DPA).
It was first announced as part of the Queen’s speech on June 21, 2017. Almost a year after the announcement, the legislation has done its rounds in the U.K. Government’s House of Lords, and is currently in the middle of doing its rounds in the House of Commons. The DPB is set to be enacted as a law before May 25, 2018 — in time for when the GDPR is enforced.
Why does the UK need the Data Protection Bill?
The U.K. must comply with the GDPR.
The GDPR will affect U.K. organizations and citizens by May 25 since it is still considered a member state then. Once the U.K. leaves the EU, the Bill — an Act by then — will help ensure that the provisions of the GDPR are already preserved in U.K. law.
Brexit and GDPR together have a specific implication on U.K.-related data processing and transfer.
Exiting the EU subjects the U.K. to the provisions that GDPR imposes on what it calls "third countries,” just as other European countries become third countries to the U.K. Third countries to the EU must pass certain GDPR standards to ensure continuous data flow and exchange with member states. DPB helps ensure these standards are met as well as safeguards an uninterrupted data flow between EU member states and the U.K. once Brexit takes effect by March 2019.
U.K.’s current data protection legislation is outdated.
U.K.’s current data protection law, the DPA, was introduced almost 20 years ago. Since then, numerous technological advancements have been made — the invention of the smartphone for example — many of which weren’t foreseen and accounted for by the DPA. According to the ICO, the Bill intends to cover these technological changes by addressing the benefits and challenges these have brought to the use and collection of personal data.
How can an organization comply with both the GDPR and DPB?
According to the U.K. ICO page, the DPB did not simply lift GDPR regulations and used them as its own; it cross-references many of GDPR’s terms and regulations. The GDPR and DPB are meant to work side by side. Organizations have had more time to prepare for the GDPR, and a good way to start compliance with the DPB is ensuring GDPR compliance.
To adapt the GDPR into U.K.’s data protection laws, DPB made several significant changes to the original DPA. For example, the DPB included a broader definition for personal data, much like with the GDPR. The DPB redefined the responsibilities data controllers and data processors have, subjecting both to obligations and liabilities, whereas in the DPA, the focus of data protection obligations had been on controllers. As with the GDPR, the DPB included data subject rights such as the right to be forgotten and the right to data portability.
It would be useful for organizations to also take note of the derogations, i.e., flexibilities, the GDPR has provided for EU member states to better adapt the regulation to their cultural backgrounds. The U.K.’s derogations are detailed in the DPB’s summary. Some key ones include how data controllers and processors are identified, terms of consent, and guidelines for automated processing with AI.
What cybersecurity measures can companies use for GDPR and DPB compliance?
Both the GDPR and the DPB emphasize the need to implement “state-of-the-art technology” and “privacy by design and default” for data protection, in recognition that businesses of all sizes and from different sectors are subject to cyberthreats in different forms — ransomware, malware, and phishing scams, to name a few. More than the heavy fines GDPR may impose on companies in the event of an improperly handled data breach, companies’ reputation can also take a hit from such an event. Cybersecurity measures that can help with both GDPR and DPB compliance should have a strong technology component and solutions that can protect the entire enterprise.
The GDPR is set to transform data collection and processing guidelines and policies worldwide. Because of GDPR’s broader scope, countries, not just companies, are now reviewing their own approach to data protection to prepare their citizens and organizations for its effect.
Organizations can take their cue from the U.K. and see GDPR challenges as an opportunity to make much-needed improvements for cybersecurity measures and data protection processes. As technology and the threat landscape change, so should policies and legislation for cybersecurity. The GDPR and the DPB pave the way for organizations to have better control, security, and transparency in the use of personal data. As a plus, compliance also boosts customer trust and brand reputation.