Main menu


+44 (0)151 600 3000


+44 (0)161 836 8800


+44 (0)1772 823 921

Search form

Search form


GDPR vs The Data Protection Bill

GDPR vs The Data Protection Bill
Wednesday 15th November 2017

The UK’s new Data Protection Bill (“the Bill”), which was first introduced to Parliament last month, is intended to implement the EU General Data Protection Regulation (GDPR) and address areas (such as exemptions) where member states are afforded some discretion in applying the GDPR principles to domestic law (as well as creating some new criminal offences). The Bill also introduces similar provisions to those in the GDPR in respect of data processing by law enforcement authorities and intelligence services; areas which are outside the scope of the EU regime.

Controllers and Public Authorities

The substance of the Bill begins with a clarification of the term “controller”. The controller bears the brunt of the sanctions for non-compliance, and the GDPR’s definition (persons “who determine the purposes and means of the processing of personal data”) largely mimics that of the Data Protection Act 1998 (DPA). However, the Bill provides special rules in respect of data processed by the Crown or by Parliament, and retains a provision from the DPA which says that, where data is required to be processed by an enactment, the controller is the person upon which that requirement is imposed.

A definition for the term “public authority” (which is used, but not defined, in the GDPR) is also provided in the Bill, by reference to the Freedom of Information Act 2000. Whilst this was not an unexpected move, the definition notably includes limited companies whose shareholders are all public bodies (such as local authorities). One of the main repercussions of this is that such companies will not be able to rely on the “legitimate interests” ground for processing personal data.

Extended provisions

One topic of interest to the public is the minimum age at which children may provide their consent to the processing of their personal data. The default position under the GDPR is 16 years but member states are permitted to reduce this to not less than 13 years; the Bill implements the lowest age of 13.

The Bill also expands on the issue of processing sensitive personal data (such as data relating to racial origins, religious beliefs, sexual orientation etc.) which, under the GDPR, is prohibited unless certain conditions are met. The Bill provides substantial guidance on those conditions and, in some cases, may make them harder to fulfil. Controllers processing sensitive personal data will have to have appropriate policy documents in place, explaining their procedures for securing compliance with the data protection principles and their data retention and erasure policies.

An appeal route is also provided in the Bill for individuals that have been subject to a decision which substantially affects them based purely on automatic processing.

Criminal Offences

There are several new criminal offences created by the Bill which are not present in the GDPR or the existing DPA framework.

The DPA offence of knowingly (or recklessly) obtaining or disclosing personal data without the controller’s consent subsists, but the Bill also makes it an offence to retain such data once it has been obtained without consent, or to sell (or offer to sell) such data. It will also be an offence under the Bill to decrypt encrypted personal data, or to process such data once it has been decrypted, without the controller’s consent. Finally, in an attempt to safeguard data subjects’ access rights, it will be an offence under the Bill to alter or destroy personal data that a data subject has requested (and is entitled to receive) access to.


The Bill contains a wide array of exemptions from the provisions of the GDPR, some of which will be familiar to those acquainted with the existing DPA framework.

A large portion of the GDPR (including data subjects’ rights of access to data, rectification, erasure, data portability and objecting to processing) is exempted for various purposes that are in the public interest, such as the prevention of crime, the maintenance of effective immigration control, the protection of charities and the securing of the health and safety of workers (amongst many others).

The ‘freedom of expression’ exemption, which was present in the DPA, also subsists in the Bill where personal data is processed for the purpose of journalism or for academic, artistic or literary purposes.

The right of a data subject to access personal data held about him/her is explicitly limited in the Bill so that a controller is not obliged to disclose data to a subject if other individuals are identifiable from that data. The obligations on controllers to provide information about their processing of personal data to subjects are also exempted in various situations, including where compliance would cause a controller to incriminate itself for a criminal offence.

This article is part of a series produced between November and December 2017 for Brabners Data Protection Month – you can find all of our data protection articles on our Data Protection Month page.