Legislation to introduce the requirements of the EU General Data Protection Regulation into UK law has had its first reading in the House of Lords.
The EU’s GDPR legislation is due to come into force on 25 May 2018 and will bring in stricter requirements for organisations that process data than are currently required under the Data Protection Act 1998. It will allow the Information Commissioner’s Office to levy fines of up to £17m or 4 per cent of global turnover on organisations that breach the rules.
The Data Protection Bill, which updated the Data Protection Act 1998 by incorporating the GDPR requirements, was introduced by Lord Ashton of Hyde, the culture, media and sports minister in the House of Lords.
Bills are typically not debated at their first reading but will be discussed by peers at the second reading, which is due to take place on 10 October.
In overview guidance, the government said the bill would implement the GDPR standards, but also provide clarity on the definitions used in the GDPR in the UK context.
The bill includes a number of modifications to the GDPR on areas in which the EU allowed individual countries to set their own policies, such as the age from which parental consent is not needed to process data online, which the bill sets as 13, and exemptions to the rules for academic research, financial services and child protection.
The Charity Commission had previously expressed concern about the GDPR’s requirements for processing sensitive personal data, particularly concerning someone’s criminal convictions, which say that only "bodies vested with official authority" can process such information.
It is unclear whether this would include the commission. The commission said that if it did not, this could impede its ability to regulate effectively.
But in a statement announcing the bill, the government said the bill would allow the processing of sensitive and criminal conviction data without consent "where it is justified", suggesting the commission would be able to do so.
"Organisations which already operate at the standard set by the Data Protection Act 1998 should be well placed to reach the new standards," the guidance document says.
"The bill will mean that UK organisations are best placed to continue to exchange information with the EU and international community, which is fundamental to many businesses."
It said the Information Commissioner was already working to help businesses comply with the new law from May 2018 and would be taking "a fair and reasonable approach" to enforcement after it enters the statute book.
In a statement on the ICO website, Elizabeth Denham, the Information Commissioner, said: "The introduction of the Data Protection Bill is welcome as it will put in place one of the final pieces of much-needed data protection reform.
"Effective, modern data-protection laws with robust safeguards are central to securing the public's trust and confidence in the use of personal information within the digital economy, the delivery of public services and the fight against crime."
She said she would provide her own input as necessary during the legislative process.