New Data Protection Bill will strengthen UK data protection law | DMA

Filter By

Show All

Connect to


New Data Protection Bill will strengthen UK data protection law


The Government previously announced during the Queens Speech their intention to update UK data protection law via a new Data Protection Bill.

Today the Government detailed the headline changes from the forthcoming Data Protection Bill, in a statement of intent published online.

The new Bill will implement the General Data Protection Regulation (GDPR) in full and therefore smooth the Brexit transition process by aligning UK data protection law with EU data protection standards.

The key changes the Government list are:

  • Make it simpler to withdraw consent for the use of personal data
  • Allow people to ask for their personal data held by companies to be erased ("right to be forgotten")
  • Enable parents and guardians to give consent for their child’s data to be used
  • Require ‘explicit’ consent to be necessary for processing sensitive personal data, such as health data
  • Expand the definition of ‘personal data’ to include IP addresses, internet cookies and DNA
  • Update and strengthen data protection law to reflect the changing nature and scope of the digital economy
  • Make it easier and free of charge for individuals to require an organisation to disclose the personal data it holds on them ("data subject access request")
  • Make it easier for customers to move personal data between service providers ("right to data protability")

DMA members are familiar with these proposed changes as most of them originate from the GDPR.

The GDPR contained various derogations, which translates as parts of the Regulation that can be varied from country to country. For example, the age of consent for children can be set between ages 13-16.

The UK Government consulted the DMA on the derogations and has now indicated what it will do in this announcement. On the age of consent for children for personal data processing the Government believes 13 is most appropriate. The DMA supports this decision and had lobbied for it.

Furthermore, the Government intend to introduce a new legal requirement, which is an extension of the right to be forgotten in the GDPR, for social media companies. There will be a new right to require social media platforms to delete information on children and adults when asked.

Speaking about the Bill Digital Minister, Matt Hancock MP, said: “I am determined to ensure that the Bill supports innovation and although in some cases there will need to be changes to business processes, data will still be used as productively for all current uses ranging from marketing to research. There is no conflict in both enhancing citizen protections and supporting UK economic activity. It’s all about using data wisely.”

This time of reform is a watershed for data protection law and organisations should use the reforms as an opportunity to create a business culture that has data privacy at its heart.

The new Data Protection Bill is in essence all about giving consumers greater control over their personal data. Consumers are increasingly doing business with brands based on how that company treats their personal data.

In practice organisations must be responsible custodians of personal data and be accountable and transparent to consumers as to how they will use their personal information.

The robust accountability principle introduced by GDPR places emphasis on record keeping and privacy impact assessments. Organisations should be able to demonstrate their compliance with the law and always be thinking about how their behaviour could impact people’s personal privacy and their data protection rights.

Picking up on these points, DMA Director of External Affairs, Mike Lordan, said: “The Data Protection Bill will put into law much of the substance of the GDPR, which will transform the day-to-day operations of any business that works with data and comes into force in May 2018.

“This new legislation gives consumers more control over their data, which will in turn persuade businesses to act more responsibly.

“But businesses should not view these new laws as shackles inhibiting innovation, as some do, but as opportunities to better serve customers in new and exciting ways.”

The full Bill was not published today but will likely be published on one of two dates, either when Parliament returns from its summer break in early September or when Parliament returns from the conference season in early October.

If you have any concerns regarding the Bill then you can contact the Government team via email: or the DMA’s External Affairs Manager, Zach Thornton, via email:

Hear more from the DMA

Please login to comment.


MyLife Digital Ltd.'s response to the Bill:

We welcome the Government’s approach to adopt and adapt the EU General Data Protection Regulation to meet the requirements of the growing base of technology users across the UK. In particular we applaud the desire to keep the UK at the pinnacle of data protection with the continual setting of gold standards – not only for protection, but for innovations in the digital arena and personal information management.

With Brexit talks underway, the UK needs to ensure that organisations based here maintain adequate levels of data protection to support future trade through data transfers internationally. Being a trusted and respected third country outside of the EU will allow organisations to seamlessly maintain the strong relationships they have built within EU member states and beyond.

We are heartened to see the Data Protection Bill will bring clarity to the GDPR to remove confusion and address some of the misunderstandings surrounding the legislation. We have noted in particular the confusion between consent and preference. One being the explicit permission to present information to a citizen, the other being how and when they would like to receive said information. These two terms are most definitely not the same.

There had been confirmation that the UK was to adopt the GDPR. Many organisations have begun policy and procedural changes ahead of the new data protection legislation as well as the EU Privacy Directive. This announcement by the Department for Digital, Culture, Media & Sport provides the assurance that these regulations are now law.

From our part, MyLife Digital has been at the forefront of technology, rethinking personal data and creating ‘Privacy by Design’ solutions, since 2015.

When we founded our business, the GDPR had not been proposed but we believed – strongly – that the citizen’s best interests should be at the heart of how organisations collect, store, utilise and analyse data. From the enablement of citizens to obtain a clear view of how their data is managed for themselves, to allowing them simple mechanisms to act on their rights.

For organisations, this highlights the strengthening of trust and improvement in engagement our framework can bring.

The digital age brings about the potential for sharing of rich data, but only if the relationship between citizen and organisation is transparent, and only if there is trust. Still further if there is trust, data can bring benefits to society as a whole.

Accountability for the GDPR, and now the Data Protection Bill, should be a Business as Usual exercise across the entire company. In fact, it’s much more than compliance – it’s ethical best practice when it comes to respecting personal data which after all belongs to the citizen, not the organisation.

Trust is central to our way of thinking, John Hall, Chief Executive Officer, MyLife Digital Ltd says,

“With Consentric, we deliver trust. More than products and services, we’re about communicating differently. Developing new and deeper relationships with your market. We enable people partnerships that gain you powerful insights. That add value to the individual, to the organisation and to society as a whole. So, everyone benefits. That’s the shape of the new digital economy. One that’s based on trust.”

If data is the currency of the digital economy, then trust should be the credit rating.