What are you looking for?

19 September 2017 | Comment | Article by Louise Price

The GDPR and the new Data Protection Bill


The EU General Data Protection Regulation (GDPR) has been described by the Information Commissioner as “the biggest change to data protection law for a generation”. It will automatically come into force in the UK on 25 May 2018, just a few weeks after the UK is required to enact legislation to implement another EU law, the Data Protection Law Enforcement Directive (DPLED) on 6 May 2018 which applies to public enforcement agencies.

The Government has recently confirmed that it plans to introduce a new Data Protection Bill, which will integrate the GDPR into UK law together with the DPLED and ensure both continue to apply after Brexit.

The UK’s Minister of State for Digital, Matt Hancock said:

“The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world. …The Bill will give people more control over their data, require more consent for its use, and prepare Britain for Brexit.”

“The Data Protection Bill will allow the UK to continue to set the gold standard on data protection. We already have the largest internet economy in the G20. This Bill will help maintain that position by giving consumers confidence that Britain’s data rules are fit for the digital age in which we live.”

Key legal changes coming into force will include provisions that:

  • make it simpler for people to withdraw consent for the use of personal data;
  • allow people to ask for their personal data held by companies to be erased;
  • enable parents and guardians to give consent for their child’s data to be used;
  • require ‘explicit’ consent to be necessary for processing sensitive personal data;
  • expand the definition of ‘personal data’ to include IP addresses, internet cookies and DNA;
  • update and strengthen data protection law to reflect the changing nature and scope of the digital economy;
  • make it easier and free for individuals to require an organisation to disclose the personal data it holds on them;
  • make it easier for customers to move data between service providers.

New criminal offences will be created to deter organisations from either intentionally or recklessly creating situations where someone could be identified from anonymised data. In addition, the Information Commissioner’s Office will also be able to issue higher fines – of up to €1 million or 4% of global turnover for serious data protection breaches. This is significantly more than the £500k current fine level.

At Hugh James, mindful of the breadth of coverage of the GDPR and new Data Protection Bill, we have put together a team of legal experts from across the firm who can help organisations prepare for this hugely significant legislative change. For more information, see our dedicated GDPR webpage here.

Author bio

A highly specialised lawyer, Louise is a Partner and Head of Employment and HR services. Her expertise includes corporate support work, TUPE, pensions and employee benefits advice. She regularly advises private, public and third sector clients regarding large scale TUPE transfers of staff including drafting indemnities and warranties, advising on potential employment and pension liabilities, information and consultation obligations, and providing best value guidance.

Disclaimer: The information on the Hugh James website is for general information only and reflects the position at the date of publication. It does not constitute legal advice and should not be treated as such. If you would like to ensure the commentary reflects current legislation, case law or best practice, please contact the blog author.

Contact one of our experts

Fill in the form and one of our experts will get in touch with you shortly.