We're sorry but your browser is not supported by Marsh.com

For the best experience, please upgrade to a supported browser:



UK Data Reform: GDPR and Beyond

Posted by Peter Johnson 15 August 2017

Last week, the UK Government published its Statement of Intent regarding the new UK Data Protection Bill, which it says will bring the country’s data protection laws up to date and help to prepare it for the future, following its exit from the European Union (EU).

The Data Protection Bill will repeal the UK Data Protection Act 1998 and bring EU law, including the General Data Protection Regulation (GDPR), into UK law “in a way that as far as possible preserves the concepts of the Data Protection Act … while complying with the GDPR and Data Protection Law Enforcement Directive (DPLED) in full,” according to the document.

The Statement of Intent also indicates some of the derogations in the GDPR that the UK will exercise, including:

  • Processing of criminal data: The GDPR only permits bodies vested with official authority to process personal data on criminal convictions and offences. The Bill aims to preserve continuity with the existing position and extend the right to enable organisations other than those vested with official authority to process data relating to criminal convictions and offences.
  • Automated decision-making: The Government will ensure there are grounds for processing personal data by automated means where there are legitimate grounds for doing so and suitable safeguards in place.
  • Age of consent: The Government will set the minimum age at which a child can consent to data processing to 13.
  • Exemptions for research: Significant exemptions will be introduced to allow universities, research establishments, and museums to continue to operate in a way that protects information but does not inhibit future innovation and discovery.

In news that will be particularly welcomed by UK and international businesses, the Statement of Intent states that the UK Government is “committed to ensuring the uninterrupted data flows” between the UK, the EU, and other countries around the world.


With greater certainty on the long-term impact of the GDPR on the UK after it leaves the EU, it is important that organisations continue their preparations for the GDPR, which will become applicable from 25 May 2018. The ICO has provided guidance to help organisations with their preparations. In particular, your business should:

  • Ensure all key people in your company understand the GDPR.
  • Know what personal data your company holds and the lawful basis on which you rely when using and storing it: Keep in mind the more stringent consent requirements.
  • Check your privacy notices, policies, procedures, and other documentation are compliant with the new requirements.
  • Have plans in place to detect, report, and investigate data breaches.
  • Check whether you are required to appoint a data protection officer.

The new requirements may oblige your company to make operational and IT changes, which take time and require investment. Proactive organisations can use this as an opportunity to improve their data management strategies in such a way that enhances their data capabilities and could help them grow their businesses.

Peter Johnson