UK: Data Protection Bill published - employers should prepare now for GDPR

The Government published the draft Data Protection Bill (the "Bill") on 14 September. The Bill will be debated at its second reading in the House of Lords on 10 October 2017. The Bill will replace the Data Protection Act 1998 (the "1998 Act") and will be supplemented by the EU General Data Protection Regulation ("GDPR") which applies directly from 28 May 2018 until the UK leaves the EU; at that point, the Government intends that the GDPR will be incorporated into the UK's domestic law under the European Union (Withdrawal) Bill. The Bill therefore does not need to replicate the GDPR itself, but instead implements various derogations permitted by the GDPR and also extends the GDPR standards to certain areas of data processing outside EU competence. The Bill also provides for the continuation of the Information Commissioner's role.

The draft Bill and Explanatory Notes are available here; although lengthy, much of the Bill relates to law enforcement data processing and processing by the intelligence services and so is of limited relevance to commercial organisations in that regard. We will be publishing a more detailed briefing on the Bill in due course and will keep you updated as it progresses through Parliament. However, some preliminary points of interest are:

• The GDPR permits Member States to stipulate conditions for processing "special categories of personal data" (broadly, "sensitive personal data" under the DPA) and criminal conviction data without needing to obtain explicit consent. The Bill aims to replicate the current DPA provisions; the conditions are set out in Schedule 1 of the Bill and cover a wide range of areas. There are exemptions relevant to specific types of organisation as well as several with more general application, such as where processing is necessary for the purpose of diversity monitoring, to prevent and detect unlawful acts, to fulfil obligations under employment or social security law or for health and social care purposes (including occupational medicine and the assessment of the working capacity of an employee). A key point to note is that, in most cases, the data controller will only be able to rely on the conditions if they have an appropriate policy document in place when the processing is carried out, which must explain the controller's procedures for securing compliance with the data processing principles and set out the controller's policies on retention and erasure of the personal data processed. The policy document must be reviewed and updated from time to time and made available to the Information Commissioner on request; additional details must also be included in the record of processing based on these conditions.
• The Bill replicates certain DPA exemptions to individual rights to information about processing and subject access rights (in Schedule 2 Part 4). These include exemptions in relation to legal professional privilege, self-incrimination, management forecasts, negotiations, and confidential references. This is particularly helpful given the GDPR does not address these points.
  The GDPR allows Member States to set the minimum age at which a child can consent to personal data processing by information society services (eg online sellers, search engines and social media) between 13 and 16 years; the Bill confirms that this will be 13 in the UK.
• The Bill introduces new criminal offences of (i) knowingly or recklessly re-identifying personal data that has been anonymised, without the consent of the controller who de-identified the data; and (ii) altering personal data to prevent disclosure following the exercise of a subject access right. The DPA prohibition on requiring employees or contractors to provide certain records obtained via subject access requests as a condition of their engagement, or on requiring the public to request such records in order to obtain goods, facilities or services, is replicated and extended to medical records in addition to criminal records. The Bill replicates the DPA provision for directors' personal liability where an offence is committed with the consent, connivance or negligence of a director.
• The Bill imports much of the DPA and therefore contains few surprises for businesses, but it does at least confirm for the first time the Government's intention to retain many of the DPA derogations and exemptions, which is welcome news. Businesses should now begin planning in earnest for implementation of the GDPR next May.

Herbert Smith Freehills has specialist multi-disciplinary Data Protection, Privacy and Cyber Security teams focusing on helping companies to navigate the GDPR in the run up to 25 May 2018 and beyond. We will be issuing a series of cross-practice cross-border briefings and webinars catering for the “whole of business”. Each briefing and webinar will be written with a particular key business function or functions in mind – placing the spotlight on what we are seeing and hearing in the market alongside our practical experience of dealing with the challenges of compliance.

Our first briefing in the series takes a high level look at the anatomy of a GDPR compliance programme, breaking down the task into more digestible pieces. Subscribe to our multi-disciplinary GDPR practical series here and navigate to the GDPR Hub for our latest thinking and industry insights.