The UK Government has published its proposals to reform the UK’s data protection laws. The Statement of Intent, issued by the Department for Digital, Culture, Media and Sport, makes for familiar reading for those already preparing for the EU’s new General Data Protection Regulation (GDPR). But there are a number of new proposals that will apply to the UK only.
New criminal offences
The Data Protection Bill will create two new criminal offences:
- intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data; and
- altering records with the intent to prevent disclosure following a subject access request.
Each of these new offences will carry a penalty of a potentially unlimited fine.
The Bill will also extend the scope of the existing offence of unlawfully obtaining data. The offence will now capture those who retain data against the wishes of the data controller, even if the data were lawfully obtained in the first place.
Automated profiling
The GDPR will give individuals an express right not to be subject to automated decision-making (including profiling).
The UK will qualify this right to allow certain ‘legitimate’ processing to take place. The scope of this exception is not yet clear, but the Statement of Intent mentions that automated credit reference checks, for example, are ‘legitimate’.
Records of criminal convictions
As standard, the GDPR only permits bodies with official authority to process personal data relating to criminal convictions and offences.
The Bill will extend this permission to all organisations, but will impose strict requirements for processing (similar to those for processing sensitive personal data).
Next steps
We expect the Bill to be published in full in September.
The GDPR will take effect in the UK in May 2018. For further information on the GDPR, click here. If you’d like to discuss what your business needs to do to become GDPR-ready, please contact us.
Authors: Giles Pratt and Michael Haynes