The UK Data Protection Bill received Royal Assent on 23 May and its main provisions will commence on 25 May 2018. The UK Act is not limited to GDPR provisions but also covers national security issues and transposes the EU Law Enforcement Directive. It is therefore necessary to read the two texts side by side.
With regard to GDPR derogations, the age for a child’s consent in relation to information society services will be 13 instead of 16 in the GDPR. Whilst the GDPR does not require organisations to notify to the supervisory authority, the UK Act imposes a notification fee to be paid to the ICO.
The ICO will issue a Data-sharing code, a Direct marketing code, an Age-appropriate design code and Data protection and journalism code.
The Act creates a new criminal offence in cases where anyone uses anonymised data knowingly or recklessly to re-identify information that is de-identified personal data. The UK regulator is also granted more effective powers of entry and inspection.
Information Commissioner, Elizabeth Denham, writes in her blog: ‘The legislation requires increased transparency and accountability from organisations, and stronger rules to protect against theft and loss of data with serious sanctions and fines for those that deliberately or negligently misuse data.’
‘And although the ICO will be able to impose much larger fines - this law is not about fines. It’s about putting the consumer and citizen first … we can’t lose sight of that.’
‘The creation of the Data Protection Act 2018 is not an end point, it’s just the beginning, in the same way that preparations for the GDPR don’t end on 25 May 2018. From this date, we’ll be enforcing the GDPR and the new Act but we all know that effective data protection requires clear evidence of commitment and ongoing effort.’
See the 2018 Data Protection Act.
Privacy Laws & Business 31st Annual International Conference focuses on GDPR compliance. A session on the new UK Act takes place on Tuesday 3 July.