The new UK Data Protection Bill (the Bill) was published on 14 September 2017. The Bill is designed to be read in conjunction with the General Data Protection Regulation (the GDPR) which comes into force on 25 May 2018.
The Bill is due for its second reading in the House of Lords in October and so is subject to change. We assume it will come into force around the same time as the GDPR.
Once enacted, the Bill will, amongst other things:
- repeal the Data Protection Act 1998, but retain some of its key concepts;
- implement and supplement the standards of the GDPR;
- create new exemptions and derogations from the application of the GDPR in the UK; and
- create a number of new criminal offences relating to the processing of personal data.
With only eight months to go until the GDPR takes effect, the Bill is a further reminder that HR practitioners need to be taking action now to establish what personal data the business has in its possession, how it processes that data, the purposes for which data is processed and the legal basis for such processing. Particular attention will need to be given to the transfer of staff data overseas and the processing of special categories of data (such as employee health information).
The results of the audit can then be used to modify practices if necessary, provide training and produce or update various compliance documents required under the GDPR. For example, employers will need a privacy notice for all staff, a privacy notice for applicants and a data protection policy setting out staff obligations and rights and how the employer complies with the GDPR.