Data protection law will require a two-tracked mind
Parliament begins work this week on what will become the Data Protection Act 2018
The clock is ticking: most Britons will have less than 150 working days until the General Data Protection Regulation (GDPR) comes in to force on 25 May. The regulation, with its new definition of sensitive personal data (special category personal data), new subject rights and penalties for infringement, has already proved a boon to consultants offering compliance advice.
But organisations congratulating themselves on getting their houses in order well in advance may have new shocks on the way. We are still awaiting definitive guidance on several aspects of the GDPR. Meanwhile, the fine detail of what will become the Data Protection Act 2018 remains uncertain. The process of thrashing this out begins tomorrow (Tuesday) when the Data Protection Bill receives its second reading in the House of Lords.
The 218-page bill will repeal and replace the Data Protection Act 1998, drafted in a pre-internet age. While it is expressly designed to bring domestic law into line with the European regulation, rendering the UK's data protection regime Brexit-proof, specialist lawyers point out that it does much more besides.
Robin Hopkins, barrister at chambers 11 Kings Bench Walk, notes that the bill has two functions apart from maintaining the GDPR. It will:
- Fill in the gaps of the GDPR, for example setting out the grounds on which “special category” personal data can be processed. The GDPR leaves gaps for member states to fill in.
- Extend the GDPR into areas that it would not otherwise cover - for example to public authorities that hold unstructured manual files as well as to law enforcement or intelligence services activity.
For the moment, the message from the Information Commissioner’s Office is that the new legislative regime is “evolution not revolution”. Karen Round, senior policy officer, stresses that the GDPR merely moves onto a statutory footing what well-run organisations should already be doing; privacy impact assessments, for example.
Round admitted that “some gaps” remain in guidance on implementation. “We’re working as best we can to produce some workable guidance as quickly as we can.”
There is no room for complacency. Hopkins warns that: “The bill is not a copy-and-paste of the GDPR. Instead, it constantly cross-refers to the GDPR, meaning that one has to read both the bill and the GDPR side by side. Neither document alone gives the complete picture of data protection in the UK.” The bill itself contains language that is “often turgid and bewildering”, he says.
“Eye-catching features” include the definition of a “public authority”, conditions for processing special category and criminal history data. Specific derogations from the GDPR, such as that copied over from the 1998 act applying to journalism, may face parliamentary scrutiny. However Hopkins says that, given the lack of parliamentary time, “the bulk of this Data Protection Bill will probably remain intact.”
Discrepancies and tensions
But another potential complication looms: the period of overlap between 25 May and the eventual passing of the European Union withdrawal bill, which is timetabled to come into force some time before March 2019. “This represents a period during which both domestic data protection legislation and European legislation will be effective in the UK,” says Alex Aisthorpe, solicitor at City law firm Ashfords. This will inevitably create discrepancies and tensions.
For the ICO, Round says that new guidance from the EU Working Party on the GDPR (“Article 29”) would be available by the new year. Data protection managers can keep track by following the ICO's “myth-busting” blogs. Over the next 150 days, the writers of those will have plenty of gaps to fill and myths to bust.