The UK will replace the General Data Protection Regulation with a domestic version which will be compliant with the EU regulation.
The Data Protection Bill is an update of the existing Data Protection Act 1998, and will incorporate the EU’s GDPR and the Data Protection Law Enforcement Directive requirements.
“The Government intends to extend the right to process personal data on criminal convictions and offences to enable organizations other than those vested with official authority to process criminal convictions and offences data. This will be a relief to private sector processors of such data – such as certain financial services providers – which, under a literal reading of the GDPR, would have been prohibited from doing so,” a note from law firm Bond Dickinson said.
The UK government confirmed the changes in a statement of intent published this week.
The GDPR, which comes into force in May 2018, requires all firms holding data to satisfy a high standard of consent for processing personal data. Data holders must acquire consent – it will not be adequate to assume it has been granted if they do not hear from the source.
The penalties for non-compliance or a breach are either the equivalent of 4 percent of global annual turnover or €20 million, whichever is greater.