The UK Government has released a statement of intent which provides us with a useful indication of what will appear in its Data Protection Bill. We have not yet seen a draft copy of the Bill but the statement does reveal some important titbits on how the UK will implement the General Data Protection Regulation. As has been well publicised, the GDPR will come into force across the EU, including the UK, on 25 May 2018.

The key takeaways from the statement included:


We already knew that once the GPDR comes into force the maximum fine which the Information Commissioner's Office can impose will increase from £500,000 to £17,000,000 (or 4% of the organisation's global turnover if higher).

The statement of intent confirms the Government's support for the increased sanctions which it considers will be high enough to make sure breaching data protection legislation won't be profitable and will allow "the ICO to respond in a proportionate manner to the most serious data breaches".

Perhaps this is an indication that, just because the ICO will have the power to respond proportionately to very serious breaches, it won’t necessarily increase the fines it already administers for more typical data breaches. We will have to wait and see. 

Protecting children and the age of consent

One of the key themes of the GDPR is enhanced online protection for children and the Government will make this one of its top priorities in the new Bill.

The GDPR gives member states some flexibility in determining the age at which children can give their consent for the use of their personal data. The Government has confirmed that children as young as 13 years old will be able to give their own consent which is the youngest age permitted by the GDPR. Parents or guardians will be need to provide consent to use the personal data for those 12 and under. 

The accessibility of criminal records

Under the GDPR only bodies with the requisite official authority will be able to use personal data relating to criminal convictions and offences. The GDPR does include a derogation which allows member states to expand the use of such data of which the UK intends to take advantage. The statement of intent confirms that prospective employers, for example, will still be able to carry criminal record checks for potential employees even after the GDPR comes into effect.

Free media

The Data Protection Act 1998 exempts journalists from certain data protection obligations. The intention of the exemption is to ensure that the freedom of the press is preserved. 

The statement of intent confirms that the Government is satisfied that the existing exemption strikes the right balance between protecting individuals' data protection rights and maintaining a free press and it intends to incorporate the existing exemption into the new Bill.  

Automated decision making

The GDPR will give individuals the right not to be the subject of a decision which has been made automatically and without any human intervention (e.g. a decision which has been made solely by a computer).

The Government considers that there will be times when such decision making is necessary, such as credit checks. Accordingly, the Government intends to rely on another exemption in the GDPR which permits such automated decision making as long as suitable measures are in place to safeguard individual's rights, freedoms and legitimate interests.

The statement of intent is a useful indication of what the Data Protection Bill may look like but the devil will no doubt be in the detail so we will have to wait for the publication of the first draft Bill before we start to form a complete picture of the future of data protection in the UK.

If you would like any advice or assistance in relation to the GDPR, or information law in general, please contact Jonathan Moore, Michelle Dean or Lauren Danks

Our use of cookies

We use necessary cookies to make our site work. We'd also like to set optional analytics cookies to help us improve it. We won't set optional cookies unless you enable them. Using this tool will set a cookie on your device to remember your preferences. For more detailed information about the cookies we use, see our Cookies page.

Necessary cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytics cookies

We'd like to set Google Analytics cookies to help us to improve our website by collection and reporting information on how you use it. The cookies collect information in a way that does not directly identify anyone.
For more information on how these cookies work, please see our Cookies page.