Back to top
News In Focus

Data protection proposals unveiled by ministers

7 August 2017

More details of planned reforms to the UK's data protection laws have been published by the Government today, following responses to a consultation it held.

They include the adoption in UK law of the EU's General Data Protection Regulation, so that information can continue to be transferred to and from EU countries after Brexit.

Individuals will have more control over their personal information, and will be able to ask for personal data, or information posted when they were children, to be deleted.

The legislation will:

  • make it easier, and free, for individuals to require an organisation to reveal the personal data it holds on them.
  • make it easier for people to withdraw consent for their data to be used;
  • enable them to ask for their data to be erased;
  • enable them to move personal data, including photographs, if changing internet service providers;
  • require parents and guardians to give consent to data processing for a child under 13, and make it simple to withdraw consent;
  • expand the definition of personal data to include IP addresses, internet cookies and DNA;
  • require firms to obtain “unambiguous” consent before they collect and process personal information, and “explicit” consent to processing sensitive personal data, ending the reliance on pre-selected tick boxes;
  • create new criminal offences of intentionally or recklessly re-identifying individuals from anonymised data, and altering records with intent to prevent disclosure following a subject access request; and widen the existing offence of unlawfully obtaining data to include retaining it against the wishes of the controller (even where it was initially obtained lawfully).

There will be exemptions for journalists and whistleblowers to protect their role of holding organisations to account, underpinning the free press.


Data controllers will require to have a data protection officer to advise them on data issues, handle complaints and ensure compliance with the Data Protection Law Enforcement Directive.

The UK Information Commissioner will have additional powers to police and enforce the new regime. Under the GDPR, the maximum civil fine it can impose for failing to protect information or breaching data protection laws will rise from the present £500,000 to £17m or 4% of an organisation's global turnover.

Launching the proposals, Digital Minister Matt Hancock commented: "The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world.

“It will give people more control over their data, require more consent for its use, and prepare Britain for Brexit.”

Figures in the Government's paper show the internet economy contributing an estimated one-eighth of the UK's GDP in 2016, well ahead of other leading economies: the average for the EU 27 member states and the G20 economies comes in at between 5% and 6% for each grouping.

Elizabeth Denham, the Information Commissioner, responded: “We are pleased the Government recognises the importance of data protection, its central role in increasing trust and confidence in the digital economy and the benefits the enhanced protections will bring to the public.”

Click here to access the Government proposals.

Have your say

Your comment

Tim Musson

Monday August 7, 2017, 17:24

Just a few comments:

1. Adoption in UK law of the EU's General Data Protection Regulation will not necessarily make post-Brexit transfers of personal data between the UK and EU Member States easy. What we will need is an adequacy decision by the EC. I and several others have grave concerns about this.

2. The legislation will not "require parents and guardians to give consent" - there is no obligation on parents and guardians to do this.

3. The GDPR does not require consent before collecting and processing personal data. Consent is one of six possible legal bases for processing personal data.

4. If consent is used as the basis for processing sensitive personal datai the GDPR does require it to be “explicit”. However, there is no clear distinction between "consent" and "explicit consent".

5. Not all data controllers will require to have a data protection officer under the GDPR. Any of three specific criteria can give rise to this obligation.