News and Events

Not another Data Protection Act!

  • Posted

In August I covered the Government’s statement of intent on new data protection legislation. Now we have the Data Protection Bill—draft legislation currently being debated in the Lords.

It is much more extensive than predicted, running to 218 pages in all, so four times as long as the General Data Protection Regulation with which it deals. In part this is because English statutory drafting is always much wordier (we call it precise) than that from the European mainland and in part because it deals extensively with the interaction between data protection and the police, security services, HMRC and other governmental bodies, largely exempting them from inconvenient provisions of GDPR.

It does however contain some provisions very relevant to GDPR and businesses:

  • Making clear that it is generally not necessary to disclose another person’s personal data when dealing with a Subject Access Data Request.
  • Confirming that legally privileged information need not be revealed.
  • Stating that information required to be disclosed by GDPR need not be provided if it would self-incriminate and may not be used in criminal proceedings against the discloser.
  • Nor should it be disclosed if it might affect share prices or is being used for management forecasting or planning, or in negotiations with the data subject which might be prejudiced.
  • Confidential references need not be disclosed.
  • Criminal convictions and the racial origins of employees can be processed by employers to comply with other legal obligations.

There are also provisions defining terms used in GDPR such as a “significant decision” in relation to automated processing. We now know that it means a decision having legal effect for the data subject or which “significantly affects the data subject”.

Whilst those are largely helpful for business and give us a better understanding of what is required, the fact that they will appear in an Act of Parliament and not be referenced in GDPR means that those attempting to interpret GDPR will need to constantly cross refer to the Act in case the provision in question is amended or explained by the Act.

It is to be hoped than an annotated version of GDPR will soon become generally available.

It should also be borne in mind that if the EU decides that it does not approve of the changes made by the UK Government it could have them declared unlawful by the European Court of Justice or, after Brexit, determine that the UK’s standard of data protection is not adequate thus preventing the free flow of personal data from the EU to the newly independent UK. 

To discuss your questions about GDPR, you can contact Brian Bannister on 023 8071 7466 or email


This is for information purposes only and is no substitute for, and should not be interpreted as, legal advice.  All content was correct at the time of publishing and we cannot be held responsible for any changes that may invalidate this article.