Those of you who have just got to grips with the General Data Protection Regulation (GDPR) may have been confused by the recent Government statement on the new Data Protection Act (DPA), and may also be wondering where the recently announced Network and the Information Systems (NIS) directive fits in? In this article we try to explain what is happening and why.
You probably thought that GDPR was about to replace the DPA. Well yes and no. The GDPR actually came into force on 24 May 2016 however, there is a two-year transition period for implementation and therefore the UK is not obligated to enforce it until 25 May 2018, when we will still be part of the EU.
In February this year, the Minister for Digital and Culture, told the House of Lords Select Committee on the European Union that the GDPR was a “good piece of legislation”. However, when we leave the EU we will mirror it in our own legislation (the new DPA). He said that parts of the Data Protection Act 1998 would need to be repealed for data processing to be within the scope of the GDPR and that it was “necessary to ensure that we do not end up with the Data Protection Act duplicating or creating inconsistencies with the GDPR, because the GDPR will be directly applicable”.
The Queen’s Speech in June, also introduced a new Data Protection Bill which “will ensure that the UK retains its world-class regime protecting personal data”.
Why can’t we just use the GDPR?
Well, by 2019 we will no longer be part of the European Union. This means that we won’t be governed by European laws.
Under the EU’s data protection framework, any country outside the EU and EEA is classed as a “third country”. Personal data can only be transferred to a third country when an adequate level of protection is guaranteed. The UK therefore, will need an adequacy approval from the EU.
The Government has stressed that it is “keen to secure the unhindered flow of data between the UK and the EU post Brexit”. However in order to be able to trade and to allow the automatic transfer of data across and through the EU, we have to have the same overall laws in place.
So what will be the difference between the GDPR and the new DPA?
Unfortunately at this stage, the government has not set out in detail the content of the new Data Protection Act so we don’t know. However, they have made it clear in their statement of intent that they will only be invoking a few derogations.
Areas currently under consideration include:
- Protection for companies who have large archives of material from bogus subject access requests.
- Modifying areas around automated processing. This is typically used by large credit agencies to determine credit card applications.
There is a confusing area where 3rd party companies may still be able to access criminal record information. This may come back to bite us as a country over the next couple of years if it is regarded as unacceptable by the EU.
The recently announced Network and Information Systems (NIS) directive is separate from the GDPR and is focused on the requirements for managing security risks in internet based services and the treatment of breaches, rather than on the data being held. It is designed to ensure that essential services are maintained so it is aimed at digital services in the water, energy, transport and health sectors. Organisations could face fines of up to £17m or 4% of global turnover if they fail to protect themselves from cyber-attacks.
This is still in the consultation phase but is likely to be in place by May 2018.
The BDO Technology Advisory Services team is helping many of its clients make the hugely important transition through GDPR compliance and provide advice and guidance on cybersecurity. If you would like further information on this on any IT matter please contact: Gavin Davis on 0118 925 4400 or email [email protected]