The Department for Digital, Media & Sport has announced plans to formally bring the General Data Protection Regulation into British law in its new Data Protection Bill.
The EU’s GDPR legislation is due to come into force on 25 May 2018 and will bring in stricter requirements for organisations that process data than are currently required under the Data Protection Act 1998 and will allow the Information Commissioner’s Office to levy fines of up to £17m or 4 per cent of global turnover on organisations that breach the rules.
A statement of intent on the proposed bill, published today, makes it clear that the government intends to maintain the requirements of the GDPR even after the UK leaves the EU in March 2019.
It acknowledges that the GDPR applies only to areas of law for which the EU has oversight.
But it adds: "This means that our own laws will need to apply data protections to other areas, and we intend to apply substantively the same standards to all general data in order to create a clear and coherent data-protection regime."
Although charities will be required to adhere to the GDPR across all aspects of their work, the most controversial area it will have an impact on is fundraising, and the statement of intent reiterates the government’s commitment to enforce the GDPR’s more stringent requirements on consent.
"We will ensure that the default reliance on the use of default opt-out or pre-selected ‘tick boxes’ – which are, in any case, largely ignored – will become a thing of the past," it says.
In a letter to stakeholders accompanying the announcement, Matt Hancock, the Minister of State for Digital, said the government would work with the Information Commissioner to ensure that guidance was available to help organisations navigate the new requirements.
Daniel Fluskey, head of policy and research at the Institute of Fundraising, said: "Reading today’s announcement, we understand that the new Data Protection Bill’s focus is on bringing the GDPR requirements into domestic law ready for the post-Brexit world.
"Charities are continuing to adapt and change how they work, not just to meet new legislative requirements, but to ensure that they are giving the best experience to their supporters. We’ll be looking closely at the details when the bill is published later in the year to ensure any issues affecting fundraisers are considered in the new legislation."
The DCMS also published the responses to its consultation on the areas of the GDPR where the UK has been able to exercise some discretion in how the law is applied.
The Charity Commission was among those organisations that responded to the consultation.
In its response, the regulator expressed concerns about the GDPR’s requirements for processing sensitive personal data, particularly concerning someone’s criminal convictions, which say that only "bodies vested with official authority" can process such information.
It is not clear whether this would include the commission, and the commission expressed concern that it could "significantly impede its regulation of charities" if it was unable to access information about someone’s previous convictions that would disqualify them from serving as a trustee.
But in its statement of intent, the government says it listened to such concerns and would legislate to extend the right to process personal data on criminal convictions and offences to other organisations.
A spokesman for the DCMS said the bill would be put before parliament after the summer recess and the government was committed to ensuring it was passed before the GDPR came into force.