Data Protection Bill published

Having announced last month it’s intentions for a new Data Protection Bill (as per the Queen’s speech back in June) the government have, this week published it’s initial draft of the Bill.

On the face of it, the Bill aims to implement the General Data Protection Regulation (GDPR) into UK law, not because they have to (the GDPR is a European regulation which means it applies across the whole of Europe regardless of member state law) but so that we’re ready for Brexit and to perhaps head of any confusion about whether the Regulation applies to the UK or not, pre- or post-Brexit.

In reality the Bill is bit of a monster at 204 pages and with wording like:

“Controller” and “processor”, in relation to the processing of personal data to which Chapter 2 or 3 of Part 2, Part 3 or Part 4 applies, have the same meaning as in that Chapter or Part (see sections 4, 5, 30 and 81).


In Parts 5 to 7, except where otherwise provided—

(a) references to the GDPR are to the GDPR read with Chapter 2 of Part 2 and include the applied GDPR read with Chapter 3 of Part 2;
(b) references to processing and personal data are to processing and 15 personal data to which Chapter 2 or 3 of Part 2, Part 3 or Part 4 applies.

it’s not an easy read.

In essence (and thankfully set out in plain English in Part 1 (1) in form of an overview), the Bill:

  • refers to the processing of personal data
  • applies the GDPR when it comes to general processing of personal data
  • adds to the GDPR in terms of applying similar provisions of the GDPR to certain types of data which the GDPR doesn’t apply
  • sets out the processing of personal data by competent authorities for the purposes of law enforcement and intelligence services
  • clarifies the position of the Information Commissioner (who will remain the “data regulator”)
  • sets out how data protection legislation will be enforced
  • sets out how the legislation applies to the government and courts

Unfortunately whilst the government has provided some overview of the Bill and what it means, it’s lacking in precise detail and what detail there is, is spread over a number of documents.

Bottom line: continue preparing your business for the GDPR. Where, in the GDPR, a derogation is allowed, try and find how the UK’s implemented that derogation in this Bill.

For sure there are interesting times ahead. This is only a preliminary draft of the Bill. It has to be read by both houses of Parliament (Commons and Lords) and is likely to change, although that depends on how it’s received by parliamentarians.

For more information: