The Data Protection Bill – What do I need to know?

Big Ben and the House of Commons



The draft Data Protection Bill [HL] 2017-19 will get it’s second reading in the House of Commons today, Monday 5th March 2018, moving one step closer to receiving Royal Assent.  In preparation for the second reading, the House of Commons issued a 60-page briefing paper which includes a summary of the Bill and the House of Lords debates[1].

In May 2018, as we all know, there will be some changes to the EU’s data protection framework – the General Data Protection Regulation (GDPR) will apply from 25th May and as it is a Regulation it does not need to be transposed into domestic law.  But prior to that, the Police and Criminal Justice Directive, also known as the Law Enforcement Directive (LED), needs to be transposed into UK law by 6 May.


GDPR widens the scope of the previous Data Protection Directive, (which was the EU legislation that unpinned the Data Protection Act 1998), to provide data subjects with greater protection for their personal data and also extends data subject rights.  The Regulation reduces the principles from 8 to 6, but introduces 8 data subject rights, some of which are a continuation of rights under previous legislation, (like subject access requests), but some are new.  Data controllers must be able to demonstrate compliance with all the principles (accountability) and there are new obligations for data processors.


The LED will apply to both the cross-border and domestic processing of personal data for law enforcement purposes and repeals the previous 2008 Framework Decision.  The Directive is designed to protect the personal data of individuals involved in criminal proceedings, whether they are witnesses, victims or suspects.  In addition, it is anticipated that the LED will “facilitate a smoother exchange of information between Member States’ police and judicial authorities, thereby improving cooperation in the fight against terrorism and other serious crime in Europe.[2]

An overview of the LED can be found here.

Council of Europe Convention on Processing Personal Data

The Council of Europe is not an EU institution and the UK will continue to be a member after Brexit.  The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No108) was the first binding instrument on data protection.  The UK ratified the Convention in August 1987 and it entered into force on 1 December 1987:

“[The Convention]…protects the individual against abuses which may accompany the collection and processing of personal data and which seeks to regulate at the same time the trans frontier flow of personal data.”[3]

The Convention will be modernised and will reflect the same principles as GDPR.  A draft version is available online

The Draft Bill

The draft Data Protection Bill (‘the Bill’) has a number of purposes:

  • It sets out how the UK would apply the derogations available under GDPR

  • It will bring the Law Enforcement Directive (LED) into UK law

  • It updates the laws governing personal data processing by the intelligence services

  • It aims to ensure that the UK would be able to freely exchange data with the EU post-Brexit

  • It will repeal the Data Protection Act 1998

The Bill was originally introduced into the House of Lords on 13th September 2017, but it’s passage has been slow due to a number of concerns around the age of consent for children to have access to information society services, immigration control and freedom of expression in journalism.

GDPR allows Member States a limited number of derogations, and following consultations in 2017, the Government confirmed it would exercise those derogations in the following areas:

  • The age of consent for children to access information society services

  • Processing criminal conviction and offence data

  • Automated individual decision-making

  • Freedom of expression in the media

  • Research

The Bill was introduced to the House of Lords on 13th September 2017 and following much debate it was introduced to the House of Commons on 18th January 2018.

The Department for Digital, Culture, Media and Sport (DCMS) factsheet provides a succinct summary of what the Bill will do –

The Bill is split into seven Parts and eighteen schedules:

  • Part 1: Bill overview and definition of key terms
  • Part 2: General data processing in line with GDPR and other general data processing in areas outside the scope of EU law
  • Part 3: LED and law enforcement processing
  • Part 4: Nation Security Processing through a modernised Council of Europe Convention
  • Part 5: Functions and Duties of the Information Commissioner – including requirement to publish codes of practice of data sharing, direct marketing, age appropriate design for online services likely to be accessed by children
  • Part 6: Enforcement regime and ICO Powers
  • Part 7: Various issues including regulation to be made under the Act, penalties for offences and the Act’s territorial application

The Briefing Paper also includes a summary of the House of Lords debates for those who are interested in reading more which the full debate transcripts are available of the House of Lords website.

So, for those of you using the 80 days (inc weekends and bank holidays) to prepare for GDPR what does this mean?  Well, if you don’t carry out any national security or law enforcement processing then your GDPR preparations will stand you in good stead, although you may want to glance at the draft Bill and specifically the section around the Information Commissioner and Enforcement.  If you do carry out national security or law enforcement processing, then you have probably already been preparing for the changes under the LED but you will need to familiarise yourself with the Parts of the Act that are relevant to you.  Everyone will need to monitor the Governments Brexit negotiations, as once we leave the EU the UK will be a ‘Third Country’ and there may be additional requirements to enable the transfer of data between the EU and member states.

Get in touch

If you need further advice, find out more about our Ask Teal service, or simply contact one of our helpful experts today.




[2] European Commission, Questions and Answers – Data protection reform packages, 24 May 2017 –



Testimonial from Right Legal
"We have been using Teal to support our compliance frameworks, and every aspect of our experience with them has been fantastic. From the training to the audits, and especially the ‘Ask Teal’ helpline, nothing is too much trouble, and you get quick support from some of the industry’s best compliance experts. Just having them there to support our continued growth takes a huge weight off my mind. Highly recommend to firms of all size and structure!"
Get in touch
Testimonial from Constantine Law
"We rely on Teal Compliance to provide responsive, practical compliance services to Constantine Law (we do not have an in-house compliance officer/function). I would encourage all solicitor firms without their own resource to engage with Teal: they know what they are doing and they provide peace of mind regarding day-to-day compliance matters as well as responses to unforeseen (tricky) compliance matters. They have become an indispensable partner to Constantine Law in our growth journey."
Get in touch
Testimonial from Streathers Solicitors
"We have worked with Teal for several years. They have provided us with AML training and also helped us put together our firm-wide AML risk assessment and our updated AML policy, along with assisting us with various issues as and when they arose. We have always found them to be very helpful, friendly, responsive and knowledgeable, and are happy to recommend them."
Get in touch
Testimonial from Streathers Solicitors
"We have had a relationship with Teal for a number of years and they have provided a valuable resource to our compliance team. Teal combine the delivery of a personal and friendly service with city level expertise."
Get in touch
Previous slide
Next slide