The Department for Digital, Culture, Media and Sport has published a statement of intent (the “Statement of Intent”) for a New Data Protection Bill. While the General Data Protection Regulation (the ‘GDPR’) will become directly applicable in all EU Member States from 25 May 2018, it is the government’s intention to bring this EU law into our domestic law to ensure a smooth transition through Brexit.

The GDPR allows Member States a number of derogations and the Statement of Intent indicates where the UK government is planning to derogate. One such derogation is the threshold for the minimum age at which a child can consent to data processing can be set to any age between 13 years and 16 years and they have indicated, after receiving responses for a call for views that they see no reason to set this threshold higher than age 13.

In addition to implementing the GDPR, the New Data Protection Bill will implement the Data Protection Law Enforcement Directive (the ‘DPLED’), which would otherwise not have direct applicability to UK law. The DPLED is designed to cover the gap in the GDPR regarding the processing of personal data for “prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security”.

Although the DPLED is focused on cross-border data sharing, the government has decided that the standards which the DPLED establishes will be extended to all domestic data processing for law enforcement purposes. Howard Ricklow, a partner in Collyer Bristow’s team focused on supporting SME compliance with GDPR, said: “The Statement of Intent demonstrates the UK’s commitment to strong data protection legislation post Brexit, however it could mean that many organisations need to review their data privacy and protection policies so that they are compliant with the new laws”.

Howard added that “with the increased fines and penalties available to the Information Commissioners Office for breaches of data protection law it is every company’s best interests to undertake this review sooner rather than later to avoid a breach when the laws come into force”.