It's almost six months until the implementation date of the European GDPR (General Data Protection Regulation) and the UK begins its journey toward the club's exit door. The release of the DPB (Data Protection Bill 2017) has confirmed the UK's position on how it plans to remain tied, yet distinct from its European neighbours.
The Lure of the Continent
Despite political ties being severed, the UKs geographical position will forever remain unchanged and with it, a large market at its doorstep. For fear of being deemed an extra-territorial location with insufficient data privacy laws affecting over 40% of its trade and cross-border data sharing capabilities. The UK has instead opted to enact the principles of the GDPR into national law in the form of the DPB, ensuring its position whatever may come from the Brexit negotiations.
How Does it Differ?
For those who have prepared and studied the incoming European regulation, very little has changed other than the name by which it is known. Data subjects will retain the same rights and data controllers will still incur the same obligations and of course, those headline-grabbing administrative penalties still apply. However, possibly in an attempt to become the "Switzerland of data privacy", the UK has included some additional penalties in the event of:
- Re-animating the Anonymous - Under the GDPR personal data is afforded protective controls which would render it anonymous by using methods such as pseudonymisation. Any attempt to de-anonymise or stitch personal data back together to reveal an identity will become a criminal offence.
- Manipulating Personal Data - Subject access requests are a key data subject right, enabling data subjects to request access to all held personal data records from a data controller. If the returned personal data has been found to have been tampered with or modified in anyway, then this again can result in a criminal offence.
In both cases, the accused can be pursued through a criminal court which will undoubtedly damage the represented brand, however this will be less worrying than the fact that convictions can be accompanied by an unlimited value administrative penalty. That's right... for those who viewed the GDPR's administrative penalties as unwarranted and eye-watering, there is a new extremity in town.
Here Comes 2018
Come May 2018, the UK's DPB will have made its way successfully through both chambers of parliament, keeping the UK aligned with the continent and affecting those that use personal data as has been expected. Once the UK negotiates its exit from the European Union, it is hoped that the DPB will ensure a frictionless transfer from GDPR to approved third country. Yet, there remain questions about the likelihood of the EU approving the UK approved third country status given the mass surveillance powers granted to authorities via the Investigatory Powers Act 2016.
Despite many of the details still to be ironed out, the intention is still there. Brexit will have no effect on the UK either joining or equalling the GDPR. If denial still exists, it must now be extinguished because not only is it foolhardy in the face of a wave of inevitable change but because it is now possible to land yourself with both a criminal conviction and limitless value fine. The DPB is the GDPR, it is just wearing a Union Jack coat.