Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

GDPR By Any Other Name: The UK’s New Data Protection Bill

Last month, the UK published the final version of a law to replace its current data security and privacy rules. For those who haven’t been following the Brexit drama now...
Michael Buckbee
3 min read
Published October 23, 2017
Last updated June 9, 2023

Last month, the UK published the final version of a law to replace its current data security and privacy rules. For those who haven’t been following the Brexit drama now playing in London, the Data Protection Bill or DPB will allow UK businesses to continue to do business with the EU after its “divorce” from the EU.

The UK will have data rules that are effectively the same as the General Data Protection Regulation (GDPR), but it will be cleverly disguised as the DPB.  Jilted lovers, separations, false identities … sounds like a real-life Shakespearean comedy (or Mrs. Doubtfire).

Get the Free Essential Guide to US Data Protection Compliance and Regulations

 

For businesses that have to accommodate the changes, it’s anything but.

In the Short Term

As it currently stands, the UK is under the EU’s Data Protection Directive (DPD) through its 1998 Data Protection Act or DPA, which in EU-speak “transposes” or copies the DPD into a national law. Come May 2018, the UK will fall under the GDPR, which has as a goal to harmonize  all the separate national data security laws, like the UK’s DPA, into a single set of rules, and to put in a place a more consistent enforcement structure.

Between May 2018 and whenever the UK government officially enacts the DPB, the GDPR will also be the data security and privacy law for the UK. The DPB is expected to become law before Brexit, which is schedule to occur on March 2019.

Since the GDPR will soon be the data security and privacy law in the UK, replacing the DPA, organizations have been gearing up to meet the new rules – especially, the right to erasure, 72-hour breach notification to authorities, and improved record keeping of processing activities. The DPB should, in theory, provide a relatively easy transition for UK businesses.

A Few Differences

As many commenters have pointed out (and to which I can personally attest), the DPB is not a simple piece of legislation — though you’d think it would be otherwise. The Bill starts with the premises that the GDPR rules apply to the UK, so it doesn’t even copy the actual text.

So what takes up the rest of this 200-page bill?

A good part is devoted to exemptions, restrictions, clarifications that are allowed by the GDPR and which the UK DPB takes full advantage of in the fine print

The core of the bill is found in Part 2, wherein these various tweaks — for personal data related to health, scientific research, criminal investigations, employee safety, and public interest — are laid out. The actual details — lawyers take note — is buried at the end of the DPB in a long section of “schedules”.

For example, GDPR articles related to the right to erasure, data rectification, and objection to processing don’t apply to investigations into, say, financial mismanagement or public servants misusing their office. In effect, the targets of an investigation lose control of their data.

The DPB is also complex because it contains a complete parallel set of GDPR-like security and privacy rules for law enforcement and national security services. The DPB actually transposes another EU directive, known as the EU Data Protection Law Enforcement Directive. There is also a long list of exceptions packed into even more schedules and tables at the end of document.

While the goal of Brexit may have been to get out from under EU regulations, the Data Protection Bill essentially keeps the rules in place, and gives us a lot of abbreviations to keep track of.

Business Beware: ICO’s New Audit Powers

However, it doesn’t mean there aren’t any surprises in the new UK law.

The DPB grants regulators at the UK’s Information Commission’s Office (ICO) new investigative powers through “assessment notices”. These notices allows the ICO staff to enter the organization, examine documents and equipment, and observe processing of personal data. Effectively, UK regulators will have the ability to audit an organization’s data security compliance.

Under the existing DPA, the ICO can order these non-voluntary assessments only against government agencies, such as the NHS. The DBP expands mandatory data security auditing to the private sector.

If the ICO decides the organization is not meeting DPD compliance, these audits can lead to enforcement notices that point out the security shortcomings along with a schedule of when they should be corrected.

The actual teeth in the ICO’s enforcement is their power to issue fines of up 4% of an organization’s worldwide revenue. It’s the same level of monetary penalties as in the original GDPR.

In short: the DPB is the GDPR, and smells as sweet.

For UK companies (and UK-based multinationals) that already have security controls and procedures in place — based on recognized standards like ISO 27001 — the DPB’s rules should not be a difficult threshold to meet.

However, for companies that have neglected basic data governance practices, particularly for the enormous amounts of data that are found in corporate file systems, the DPD will come as a bit of a shock.

CSOs, CIOs, and CPOs in these organizations will have to ask this question: do we want to conduct our own assessments and improve data security or let the ICO do it for us?

I think the answer is pretty obvious!

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

canada’s-pipeda-breach-notification-regulations-are-finalized!
Canada’s PIPEDA Breach Notification Regulations Are Finalized!
While the US — post-Target, post-Sony, post-OPM, post-Equifax — still doesn’t have a national data security law, things are different north of the border. Canada, like the rest of the...
understanding-canada:-ontario’s-new-medical-breach-notification-provision-(and-other-canadian-data-privacy-facts)
Understanding Canada: Ontario’s New Medical Breach Notification Provision (and Other Canadian Data Privacy Facts)
Remember Canada’s profusion of data privacy laws? The Personal Information Protection and Electronic Documents Act (PIPEDA) is the law that covers all commercial organizations across Canada. Canadian federal government agencies,...
nys-shield-act:-updates-to-pii,-data-security,-and-breach-notification- 
NYS SHIELD Act: Updates to PII, Data Security, and Breach Notification  
After the devastating Equifax incident, the New York State legislature introduced the Stop Hacks and Improve Electronic Data Security or SHIELD Act in order to update the  existing  breach rules....
we-need-to-talk-about-gramm-leach-bliley-(glb):-the-safeguards-rule-will-be-changing!
We Need to Talk About Gramm-Leach-Bliley (GLB): The Safeguards Rule Will Be Changing!
As a blogger following data security laws and regulations, I’m occasionally rewarded with an “I told you this law would be important” moment.  Earlier this month with the news that...