The UK has become only the eighth EU member state to pass legislation which will bring GDPR into domestic law, after the UK Data Protection Act 2018 finally received Royal Assent yesterday, just 48 hours before the new EU legislation comes into force.
Information Commissioner Elizabeth Denham has hailed the move, saying “we are eager to embrace the changes it brings, [and it] will make our country one of the world’s most progressive data protection regimes”.
The new Act updates data protection laws in the UK, and sits alongside GDPR. Crucially for the ICO, the legislation gives the regulator far greater investigatory powers, including company inspections without a warrant, a 24-hour deadline for enforcement notices, and the threat of criminal action against people found to be blocking investigations.
Denham said: “The UK’s growing digital economy relies on consumer trust to make it work. The Act, along with the GDPR provides a modernised, comprehensive package to protect people’s personal data in order to build that trust.
The legislation requires increased transparency and accountability from organisations, and stronger rules to protect against theft and loss of data with serious sanctions and fines for those that deliberately or negligently misuse data.
“Governed by these laws, organisations will have the incentive and the opportunity to put people at the heart of their data services. Being fair, clear and accountable to their customers and employees, organisations large and small will be able to innovate with the confidence that they are building deeper digital trust.”
However, not everyone is convinced about the Act. Senior Labour MP Darren Jones, a member of the EU Scrutiny and Science & Technology Select Committees and a former member of the Public Bill Committee for the Data Protection Bill, has claimed the law is already out of date and does nothing to tackle the issues of companies exploiting personal data.
Last week he said: ““We had the opportunity to set our standards high, and to lead a cutting edge legislative debate in the world. Instead, we’ve ended up with a rushed, inadequate Bill which serves certain time pressures but fails entirely at properly understanding and regulating the digital world within which an increasing amount of our daily lives are lived.”
Earlier this week, it was revealed that only seven EU member states had passed domestic laws to enforce GDPR. Spain, Italy, Portugal, Romania and Latvia claim they will have the legislation passed by the beginning of June.
However, Belgium, Bulgaria, Cyprus, the Czech Republic, Greece, Hungary, Lithuania and Slovenia will not be ready until far beyond the May 25 deadline.
Four days until GDPR D-Day: Only seven EU states ready
MPs ‘as clear as mud’ about how to comply with GDPR
‘Inadequate’ Data Protection Bill is ‘already out of date’
Parish councils win reprieve as ICO gets more powers