Preparing for GDPR: Understanding the UK’s new Data Protection Bill

Yesterday, the Department for Digital, Culture, Media and Sport (DCMS) published a statement of intent for a forthcoming Data Protection Bill. The purpose, it claims, is to bring the UK’s data protection laws up to date, support innovation and ensure “our data is safe as we move into a future digital world”.

Missing from the statement was mention of the General Data Protection Regulations (GDPR) – the heavily publicised European-wide regulation that comes into force in May next year.

The DCMS announcement, which you can read about more here, has caused confusion amongst companies working towards GDPR compliance. How do the two relate? Does one replace the other? Will the UK’s law come into force sooner than the GDPR?

GDPR in lead generation

The Lead Agency is at the forefront of the lead generation industry with our approach to GDPR, having implemented a programme in 2016 to ensure we are fully compliant. Quality has always been a key foundation, which has given us a competitive edge, and compliance is one of the pillars upon which it is built.

As well as internal education about GDPR, we have liaised with motor manufacturers and agencies to inform, and to understand their perspective, and we have attended events and conferences outside of our own industry to learn from others, to provide support, and to help spread the message about GDPR. In some cases, this can be as simple as relaying the simple fact that Brexit won’t affect implementation of the GDPR, as it is a regulation, not a directive, therefore will immediately become law on 25 May 2018.

GDPR will have many benefits: as consumers ourselves, it is important that we have control of our data, and as a company that serves consumers, we believe it is right that are consumers are aware of what their data is being used for.

We perceive that enforcement of GDPR will lead to companies who fail to recognise the significance of protecting consumers’ data, and of informing and allowing consumers choices in what happens to their data, ultimately exiting the market. At TLA, GDPR is not simply seen as an ‘IT/Compliance’ issue – it affects all areas of the business.

Ultimately, many of the principles of GDPR are equivalent to the Data Protection Act, which has been in place since 1998: it is evolution, not revolution, so the businesses destined to fail are likely to be those that are already lacking a compliance framework. For businesses who operate good practices under current legislation, it is essential to ensure that entry and exit points of data into the business meet the new standards, and that the relationships between all parties in the data supply chain are correctly defined and documented.

GDPR and the UK’s Data Protection Bill

The decision to avoid mention of GDPR or Europe in the DCMS press release will be seen as a political move by some commentators. GDPR is an example of an EU law that will definitely benefit consumers, which doesn’t particularly fit the narrative of ‘Leave’ campaigners; ministers who supported ‘Remain’ will be happy to market an EU-crafted law as their own if they think it will sit well with voters.

Fundamentally, the GDPR will be implemented on 25 May 2018 regardless of the UK’s new bill. At its simplest, this cements it into UK law to Brexit and beyond. As well as taking GDPR and embedding it in UK law, the government will use derogations in certain areas, and augmentations in others to supplement the law. For example, the government’s manifesto promise to allow a person to request their social media data from before they turned 18 is deleted; exceptions for journalists in certain circumstances to allow a balance between privacy and freedom of expression. This new law will also repeal the 1998 Data Protection Act.

The law itself is likely to be published after the summer recess, at which point it will be clearer whether the government intends to align this law with the current GDPR timetable. Obviously, the government’s perilous majority will affect the speed at which they can progress Bills; however, given the more controversial aspects of Brexit law-making that are likely to be pushed through in the coming year, it seems unlikely that opposition parties will expend much energy hindering the progress of this one, unless there are as-yet unmentioned efforts to use this to allow the government to access our data more freely, with the civil liberty implications that would raise.

Are the new UK data protection laws a good thing?

As expressed previously, for consumers, having greater control over their data is important in a data-driven world. But, from a business perspective, this is the first, and essential, step to ensuring that EU partners will trust the UK to process the data of EU citizens, post-Brexit. Without this ‘adequacy status’, the bureaucracy required to transfer data into the EU will be a potential hindrance to UK business.

We look forward to seeing the final law when it’s published, and will be carefully noting the responses of industry and government bodies.

Bill Lawrenson, business intelligence manager