Last month, the UK published the final version of a law to replace its current data security and privacy rules. For those who haven’t been following the Brexit drama now playing in London, the Data Protection Bill or DPB will allow UK businesses to continue to do business with the EU after its “divorce” from the EU.
The UK will have data rules that are effectively the same as the EU General Data Protection Regulation (GDPR), but it will be cleverly disguised as the DPB. Jilted lovers, separations, false identities … sounds like a real-life Shakespearean comedy (or Mrs. Doubtfire).
For businesses that have to accommodate the changes, it’s anything but.
In the Short Term
As it currently stands, the UK is under the EU’s Data Protection Directive (DPD) through its 1998 Data Protection Act or DPA, which in EU-speak “transposes” or copies the DPD into a national law. Come May 2018, the UK will fall under the GDPR, which has as a goal to harmonize all the separate national data security laws, like the UK’s DPA, into a single set of rules, and to put in a place a more consistent enforcement structure.
Between May 2018 and whenever the UK government officially enacts the DPB, the GDPR will also be the data security and privacy law for the UK. The DPB is expected to become law before Brexit, which is schedule to occur on March 2019.
Since the GDPR will soon be the data security and privacy law in the UK, replacing the DPA, organizations have been gearing up to meet the new rules – especially, the right to erasure, 72-hour breach notification to authorities, and improved record keeping of processing activities. The DPB should, in theory, provide a relatively easy transition for UK businesses.
A Few Differences
As many commenters have pointed out (and to which I can personally attest), the DPB is not a simple piece of legislation — though you’d think it would be otherwise. The Bill starts with the premises that the GDPR rules apply to the UK, so it doesn’t even copy the actual text.
So what takes up the rest of this 200-page bill?
A good part is devoted to exemptions, restrictions, clarifications that are allowed by the GDPR and which the UK DPB takes full advantage of in the fine print
The core of the bill is found in Part 2, wherein these various tweaks — for personal data related to health, scientific research, criminal investigations, employee safety, and public interest — are laid out. The actual details — lawyers take note — is buried at the end of the DPB in a long section of “schedules”.
For example, GDPR articles related to the right to erasure, data rectification, and objection to processing don’t apply to investigations into, say, financial mismanagement or public servants misusing their office. In effect, the targets of an investigation lose control of their data.
The DPB is also complex because it contains a complete parallel set of GDPR-like security and privacy rules for law enforcement and national security services. The DPB actually transposes another EU directive, known as the EU Data Protection Law Enforcement Directive. There is also a long list of exceptions packed into even more schedules and tables at the end of document.
While the goal of Brexit may have been to get out from under EU regulations, the Data Protection Bill essentially keeps the rules in place, and gives us a lot of abbreviations to keep track of.
Business Beware: ICO’s New Audit Powers
However, it doesn’t mean there aren’t any surprises in the new UK law.
The DPB grants regulators at the UK’s Information Commission’s Office (ICO) new investigative powers through “assessment notices”. These notices allows the ICO staff to enter the organization, examine documents and equipment, and observe processing of personal data. Effectively, UK regulators will have the ability to audit an organization’s data security compliance.
Under the existing DPA, the ICO can order these non-voluntary assessments only against government agencies, such as the NHS. The DBP expands mandatory data security auditing to the private sector.
If the ICO decides the organization is not meeting DPD compliance, these audits can lead to enforcement notices that point out the security shortcomings along with a schedule of when they should be corrected.
The actual teeth in the ICO’s enforcement is their power to issue fines of up 4% of an organization’s worldwide revenue. It’s the same level of monetary penalties as in the original GDPR.
In short: the DPB is the GDPR, and smells as sweet.
For UK companies (and UK-based multinationals) that already have security controls and procedures in place — based on recognized standards like ISO 27001 — the DPB’s rules should not be a difficult threshold to meet.
However, for companies that have neglected basic data governance practices, particularly for the enormous amounts of data that are found in corporate file systems, the DPD will come as a bit of a shock.
CSOs, CIOs, and CPOs in these organizations will have to ask this question: do we want to conduct our own assessments and improve data security or let the ICO do it for us?
I think the answer is pretty obvious!