New UK Data Protection Bill to Incorporate GDPR

The United Kingdom Government has published the Data Protection Bill that intend to bring the country’s data protection regime into the twenty-first century. This will give UK citizens more authority over their personal information and impose stricter penalties on the organizations that  breach the law. The bill will be part of the multi-billion National Cyber Security Strategy. It incorporates the European Union data protection regulation-GDPR which is set to come into force in May 2018.

The GDPR penalty regime that imposes a fine of up to €20 million or 4% of total global annual revenue is one of the clauses added to the bill. This bill repeal the Data Protection Act 1998 when it comes into force. It implements the new EU data protection regulation. When the United Kingdom exits the European Union, GDPR will already be integrated into law by EU withdrawal bill. This means that businesses will be obliged to comply with the GDPR when handling United Kingdom citizens’ data.

Apart from executing the EU rules, the bill also affects the law enforcement and national security agencies. It introduces key changes for employers to process sensitive personal data like sexual orientation, religious beliefs, union membership, political opinion, health data, and data on ethnic origin. As is the case with GDPR, the new UK bill mandates data processors to obtain clear consent before processing sensitive personal data. Employers must process sensitive personal data to meet obligations or exercise rights in employment law if a policy document satisfies additional requirements. This will also apply to processing criminal conviction data.

Employers will not reveal information to employees when responding to subject access requests for various categories of information such as that covered by legal professional privilege, information management planning, information relating to employer’s intentions during negotiations with the employee and confidential references given but not those received. The new bill incorporates the European Union data protection regulation and is designed to ensure that the United Kingdom preserves and protects the privacy of its citizens.