Guidance

General Processing Factsheet

Updated 10 April 2019

DCMS Secretary of State, Matt Hancock said:

“The Bill will bring data laws up to date, give citizens more control over their data, and support innovation by ensuring that scientists and businesses can continue to process data safely.

“We want the UK’s data laws to be the most effective in the world, so that we can harness the use of data, and protect privacy.”

1. What are we going to do?

• Enable easier access to your own data.

• A new right to data portability: it will be easier to transfer your personal data between service providers.

• A strengthened right to be forgotten: when you no longer want your data to be processed, and provided that there are no legitimate grounds for retaining it, the data will be deleted, and a right for 18 year olds to have data removed.

• A new right to know when your data has been hacked.

• Exemptions to support businesses and enable innovation

2. How are we going to do it?

• The Bill provides new data protection standards based on the GDPR to all general data, creating new rights for citizens and new modern rules for business.

• Until the UK leaves the EU, where the GDPR applies directly, the Bill supplements it by exercising derogations, and extending the framework to other general data covered by domestic law.

• The Bill will create a comprehensive framework for general data processing.

3. Background

The UK is a well connected nation: 95% of premises now have access to superfast broadband. Residential broadband customers used an average of 190GB a month last year, a 44% increase on the previous year. The Data Protection Act 1998 has served us well but was designed when accessing the internet was largely limited to desktop computers in well connected companies or universities, and advanced data science was not possible. We need to update our laws.

The Bill adopts the GDPR standards for all general data in the UK. Until exit negotiations are concluded, the UK remains a full member of the EU and all the rights and obligations of EU membership remain in force. Until the UK leaves the EU, therefore, the GDPR will operate in tandem with the Bill. When the UK leaves we will restore a wholly domestic basis to our data protection laws but the Bill allows for the continued application of GDPR standards. These standards were shaped with significant involvement of the UK, and combine support for innovative use of data with robust protections. The standards will also help open up trade and investment.

4. Key GDPR derogations in the Bill

The Bill includes a number of provisions to make the GDPR work better in the UK:

Consent for data processing

• The Bill allows the processing of sensitive and criminal conviction data in the absence of consent where justification exists, including to allow employers to fulfil obligations of employment law, to allow scientific research, to prevent unlawful acts and fraud, to support insurance processing, support democracy and political representation and to maintain the integrity of professional sports.

• The Bill includes exemptions for processing personal data for literary, journalistic or academic purposes, largely reflecting the current system. The overarching aim of this is to strike the right balance between freedom of expression of the media and the right to privacy for individuals.

• The Bill sets the age from which parental consent is not needed to process data online at age 13, supported by a new age-appropriate design code enforced by the Information Commissioner.

Data rights

• We exempt scientific and historical research organisations from certain obligations which would impair their ability to carry out their core functions. This is to ensure that the UK continues to be a centre for groundbreaking research.

• The Bill also limits rights where they could otherwise be abused to commit crime, disrupt legal proceedings, undermine safeguarding by public authorities, or disrupt the investigatory activity of regulators.