Blog

GDPR – DPA 1998 will be amended to allow GDPR implementation

On Wednesday 1st February the Rt Hon Matt Hancock, MP and Minister of State for Digital and Culture sat in front of the EU Home Affairs Sub-Committee to answer questions on various aspects of data protection. If you have a spare hour you can watch the session on parliamentlive.tv – EU Home Affairs – data protection package

Below are just some of the points I have picked out from the session on GDPR. The session also discussed the EU-US Privacy Shield and the EU-US Umbrella Agreement.

Although not much was given away by Matt Hancock during the GDPR part of the session and, on occasions, he appeared to have difficulty in answering their questions, he did state right at the very start to the members of the EU Home Affairs Sub-Committee that the UK will be adopting GDPR and his reasons for this were that the GDPR is a good piece of legislation and we need to have unhindered data flows between the UK and EU post Brexit (remember this as you continue to read).

The Sub-Committee attempted to find out if it an Adequacy Decision would be part of the Brexit negotiations so that it would be in place by the time we leave the EU. Note – an Adequacy Decision is an agreement that states the UK has adequate data protection laws to meet the requirements of EU laws when processing the personal data of EU citizens.

Matt Hancock was reluctant to provide a clear answer on this issue and relied on not wanting to hinder the Brexit negotiations by divulging any detail at this stage. However, he did say that the UK Government is “keen to ensure data flow is unhindered”. The Sub-Committee were quite tenacious on this issue and continued to push Matt Hancock to answer if there would be an Adequacy Decision in place. Again he stated that it “was important to have an unhindered data flow” and that this “needs to happen in an uninterrupted way”. He continued to say that  he wanted to make sure  come Day 1 of post Brexit we had an “unhindered data flow”.

The next question was about who would have final say on data protection matters once the UK no longer came under the rule of the European Court of Justice.

Again, rather like the first question, Matt Hancock was unable to give any comment on who would have the final say on such matters, but he did say “there were several ways it could be achieved”. He declined to give any further information relying on once again not wanting to hinder the Brexit negotiations. But did add that “it was key that we had unhindered data flow”.

At this point in the proceedings he was handed a post-it note and I do wonder if it said stop saying “unhindered data flow” – if you watch the video you will see how repetitive this phrase has become by this stage. Needless to say, he didn’t stop saying those words as he kept coming out with them throughout the GDPR part of the session!

Interestingly the Sub-Committee re-picked up the issue of the UK having an Adequacy Decision post Brexit and asked if this was something that could work. Matt Hancock again was very reluctant to answer this question and informed the Sub-Committee members that he was not going to go further than what he has said already as there is a need to protect the UK’s negotiating position. The Sub-Committee were not going to give up though and continued to ask if having an Adequacy Decision is an option that could work as it is something that will be needed for other countries. Matt Hancock did confirm that an Adequacy Decision could work, but that’s all he did, there was once again no information given as to whether this was one of the options being looked at. There was consensus that an Adequacy Decision would be needed with other countries, such as the US. At the moment the UK, as part of the EU, relies on Privacy Shield to allow the sharing of data with the US.

One question I found interesting that the Sub-Committee asked was on the resource implications for getting UK organisations GDPR compliant. The response to me shows that the Government are out of touch with what is happening in the real-world. Matt Hancock informed the members that the data protection team in DCMS was fully resourced and working very hard to deliver GDPR inside Government. It was what Matt Hancock said next that surprised me. He believed that for organisations outside of Government there wasn’t much that needed to be done and so long as they were adhering to best practice now there shouldn’t be any problems and won’t find the transition a burden. He made no mention of them needing to be legally compliant just best practice would do. Is it really appropriate for an MP and Minister to say this?  You only need look at the enforcement action and fines the Information Commissioner issues to private sector business to see that the private sector must be just as legally compliant with data protection law as Government has to be. The DPA and GDPR do not say it’s only for Government to comply with, it’s for all businesses who process personal data of a living individual.

The Sub-Committee also asked if we would mirror any changes made to GDPR after we have left the EU. Again, there was a rather non-committal answer given from Matt Hancock only that the UK Government would either make the decision on mirroring the changes at that time or we would have our own interpretation of those changes brought into UK law, but he did go on to say once again that we would still want to maintain the “unhindered data flow”.

With regard to the existing Data Protection Act 1998, Matt Hancock confirmed that changes would need to be made to this to allow GDPR to be implemented and work on this was already a foot with legislation going to be put forward at the next session.

So, some of the key messages that came out of the GDPR session are:

  • UK will implement GDPR on 25 May 2018
  • DPA 1998 will be amended to allow GDPR to be implemented
  • UK wants to maintain an unhindered data flow with the EU
  • An Adequacy Decision could work between the UK and EU
  • The UK needs Adequacy Decisions with other countries who we share data with, such as the US
  • DCMS data protection team are fully resourced and working hard to deliver GDPR within Government
  • UK may mirror any changes made to GDPR after we have left the EU.

After watching this meeting it appears to me the discussion on GDPR at this Sub-Committee took place too early in the year as Matt Hancock really was at pains to give any answers to the questions they put to him. Either he didn’t have an answer as it was still an unknown at this stage or he was not at liberty to divulge any information to the Sub-Committee – we will never know! However, what it should do is highlight to him and Government the concerns the Sub-Committee have that need to be addressed. Maybe more detailed answers will be given at the next meeting on GDPR with the EU Home Affairs Sub-Committee.