Reading The Data Protection Bill
The Government has finally published the Data Protection Bill 2018, which gives effect the the provisions of the GDPR and the less high-profile Law Enforcement Directive. At 132 pages, it's a long read, but it's likely to play a big part in your future business life. Here are a few aspects of the Bill that immediately jump out from a review.
Exemption for Public Bodies
If the Bill enacted, public bodies will be exempt from the heavy administrative fines envisaged by the GDPR, except where they are engaged in some kind of business for profit. This is a large unexpected benefit for these bodies, particularly if they are not already well on the road to GDPR compliance.
It's interesting to note that the Data Protection Commissioner, Helen Dixon, described this proposed exemption as a "serious matter of concern" last year. "The purpose of the punitive fines provided for in the new law is to act as a deterrent to all types of organisations, and we see new basis upon which public authorities would be excluded," she said. Given the large number of public bodies that already feature in the Commissioner's case studies, indicating some problems complying with existing legislation, it's hard not to share her unease.
Amendment, Not Repeal
When the Data Protection Bill was first mooted, some of us hoped that it would repeal and replace the existing Data Protection Acts, providing a single source of legislation for citizens, officials and organisations to work from. That hasn't taken place here: instead, existing legislation is tinkered with rather than replaced.
It's a relatively minor quibble, but it would have made a lot of sense to mark a 'clean break' between old and new legislative regimes at this point. It would also have made life a lot easier for people who have to understand the law. Now, those people will have to continue shuffling back and forth between different Acts to know their rights and obligations - or pay lawyers to do it on their behalf.
Tough Individual Sanctions
The GDPR does not mandate that individuals should be liable for criminal action if they breach the law. However, it's left open to member states to do so, and most people would expect that flagrant abuses would remain criminal offences here. That has proved to be the case.
Unauthorised disclosure of a person's data to a third party, and disclosure of data obtained without authority, will be criminal offences punishable by a fine of up to €50,000 and/or six months in prison - for either a company, or an employer who carries out the offence. While these are clearly intended to cover deliberate breaches of the law rather than mere incompetence, it is an important motivator for people. I'd suggest that providing clear personal consequences for mishandling data like this will actually make life easier for organisations who need to get staff on board with compliance.
Find Out More
Get GDPR-ready with resources on our site.
Read the full text of the bill.