The UK government today published a Data Protection Bill designed to enshrine the EU GDPR into domestic legislation to minimize disruption to businesses post-Brexit.
The proposed law includes some exemptions which the government claims will help “prevent and detect fraud, protect the freedom of the press, allow scientific research and maintain the integrity of professional sports.”
Specifically, journalists will be allowed to process data to expose wrongdoing, anti-doping agencies will be able to process data to catch sporting drug cheats and financial institutions will still be allowed to price risk or process data if there’s a suspicion of terrorist financing or money laundering.
Exemptions also apply to certain scientific and historical research organizations like universities and museums, and for employees who access sensitive data without consent but to fulfill employment law obligations.
The new law otherwise demands data processors and controllers obtain explicit consent to use an individual’s personal data, which may not be granted in the case of – say – a sportsperson looking to escape a doping investigation.
This is just one of a slew of new elements designed to put users back in control of their personal data – providing them with the right to be forgotten, data portability etc – and to compel organizations to protect said data properly.
Palo Alto Networks EMEA CSO, Greg Day, welcomed the bill as giving UK firms “the clear certainty and direction on data security they’ve been seeking.”
“How the government is implementing GDPR so thoroughly, as well as taking this opportunity to adjust domestic law to ensure clarity of roles and responsibilities for all, shows a real determination to make the UK a true leader in how organizations preserve digital trust and citizens take control about how their personal data is used,” he added.
However, there are still concerns that the UK’s £240bn digital economy could be at risk if rules around data flows to non-EU countries aren’t changed in time for Brexit in March 2019.
The CBI yesterday warned the UK is heading for a “data cliff edge” if it doesn’t accelerate efforts to seal a transitional deal on post-Brexit data flows.
In the long-term it needs an “adequacy decision” from the European Commission to prove UK laws and standards meet EU standards.
However, experts have warned in the past that securing this could be problematic given the mass surveillance powers granted to the UK authorities by the Investigatory Powers Act.