On Wednesday 17th January, the Data Protection Bill completed its journey through the House of Lords and headed back to the Commons. This means it’s heading toward the last stages before it becomes law.
Over the last few weeks I’ve been asked several times what the difference is between the Bill and the GDPR, also whether the Bill will mean that the GDPR will no longer apply. If you were hoping for this outcome, I’m afraid to dash those hopes. The Bill mentions GDPR 480 times, the Regulation is inextricably woven in.
The Bill enshrines the requirement to comply with the terms of the GDPR into UK law. This means of course that after Brexit you’ll still be required to manage personal data to the same standards as the rest of the EU. This will provide real benefit for firms wanting to do business in Europe.
But, the GDPR doesn’t cover every situation where the UK needs to manage personal data. This is particularly in relation the operation of the government itself, and situations relating to national security.
There has been some friction between the ICO and the government over these additional regulations. The Information Commissioner is concerned that government is giving itself the right to impose a different framework on a range of organisations only loosely connected with delivering public services. There are still some things to be ironed out before the Bill is given the Royal Assent.
For most organisations, these considerations will have little or no impact. The requirement to manage personal data under the terms of the GDPR remains the same, and the 25th of May remains the deadline for compliance.