Data Protection Bill: Criminal offences and directors' liability

As UK business prepare for 25 May 2018 when the General Data Protection Regulation ("GDPR") comes into force, businesses must also get to grips with the Data Protection Bill (the "Bill") which was published yesterday. It is important to note how the Bill and the GDPR interrelate as per our article published yesterday here.

Whilst the Bill introduces a lot of the same concepts, it also includes various derogations and exemptions which supplement the GDPR, in particular in relation to criminal offences and directors' liability.

Criminal Offences

The Bill includes two new criminal offences that are not outlined in the GDPR:

Alteration of  personal data to prevent disclosure:

It is an offence for the data controller or a person employed by the data controller to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of information that a data subject enforcing its data rights would have been entitled to receive.

Offenders will be liable on summary conviction to a fine.

Re-Identification of de-identified personal data:

It is an offence for a person knowingly or recklessly to re-identify information that is de-identified personal data without the consent of the controller responsible for de-identifying the personal data.

Offenders will be liable on summary conviction or on conviction on indictment, to a fine.

Both of these new criminal offences are recordable offences i.e. they will appear on the offender’s criminal record.

Directors' liability

Whereas the GDPR does not provide for directors’ personal liability where a company breaches data protection legislation, the Bill introduces personal directors' liability, incorporating provisions directly from the Data Protection Act 1998 (the “DPA”). Where an offence is committed by a company and it is established that it has been committed "with the consent or connivance of or attributable to neglect" of a director, that director as well as the company will be guilty of an offence. Offenders will be “liable to be proceeded against and punished accordingly”.  

The Bill transplants various sections of the DPA into the GDPR in this way, so we will look to provide further comment on the inclusion of such passages alongside further updates relating to criminal offences and directors' liability during the passage of the Bill through Parliament and after the new regimes come into force.

Send us a message