The UK’s Data Protection Bill which was announced in July’s Queen’s Speech could soon be introduced in Parliament, although it could be a number of months before it becomes law. Expected to be introduced to Parliament in September, this was confirmed to leading data security specialist Chris Pinder by the Department of Digital, Media and Sport. Parliament returns from its summer recess on September 5 and it is expected that the draft legislation will be introduced soon after this date.
The Data Protection Bill will replace the Data Protection Act 1998 and will crucially incorporate the new European Union General Data Protection Regulations in national UK law. This means that even after the country has left the European Union, businesses will need to comply with the same EU rules for cuties. Failure by organisations to comply with GDO can result in fines as high a €20m (or 4% of global turnover, whichever is greater) to organizations anywhere in the world who fail to adhere.
However, according to Jon Baines, chair at the National Association of Data Protection and Freedom of Information Officers, the ramifications extend far beyond fines for individual companies:
“When the UK leaves the EU under Brexit, we will become a ‘third country’ for the purposes of GDPR, and we will need to have adequate domestic data protection law in place to enable the free flow of personal data between us and the EU,” he told Infosecurity. “If the European Commission decides that this new UK data protection law is inadequate, it will make these cross-border transfers of personal data very tricky, which would have the potential to adversely affect trade deals, and drive up costs for business and consumers, as well as potentially hindering cooperation in criminal justice and national security matters.”
The fact that the bill will be introduced in September doesn’t however mean that the bill will become law anytime soon.The bill is an immensely complex one and as such, will require much discussion and debate if it is to get thorough and enacted by March, which the government is aiming for.
“One thing is certain – this is going to be a complex piece of legislation, which will almost certainly take a number of months,” Baines said. “I understand the government is aiming for the bill to become enacted by March. No specific criticism is being levelled against the government when I say this leaves organizations aiming to comply with all of GDPR and the Law Enforcement Directive by next May with very little time to understand what will be coming, and to fully prepare for it.”
Other issues could also result in the bill being delayed, as there is a whole raft of Brexit legislation that MPs need to deal with now that Article 53 has been triggered.