• International Workplace
  • 21 March 2018

Introduction to the new Data Protection Bill published

The UK's third generation of data protection law has entered Parliament. The Data Protection Bill was published on 14 September 2017 and aims to modernise data protection laws to ensure they are effective in the years to come.

The Information Commissioner’s Office (ICO) has published an Introduction to the Data Protection Bill, which is intended as an introduction to the content and structure of the Bill for organisations and individuals who are already familiar with data protection law and the General Data Protection Regulation (GDPR).

The Data Protection Bill was announced in the Queen’s Speech on 21 June 2017. The Bill updates data protection laws in the UK, supplementing the GDPR, implementing the EU Law Enforcement Directive, as well as extending data protection laws to areas which are not covered by the GDPR. It is intended to provide a comprehensive package to protect personal data.

The ICO provides the following guidance.

What is the difference between the DP Bill and the GDPR?

The GDPR has direct effect across all EU member states and has already been passed. This means organisations will still have to comply with this regulation and we will still have to look to the GDPR for most legal obligations. However, the GDPR gives member states limited opportunities to make provisions for how it applies in their country. One element of the DP Bill is the details of these. It is therefore important the GDPR and the Bill are read side by side.

What else does the Bill cover?

  • The Bill has a part dealing with processing that does not fall within EU law, for example, where it is related to immigration. It applies GDPR standards but it has been amended to adjust those that would not work in the national context.
  • It also has a part that implements the EU’s Law Enforcement Directive. This is part of the EU’s data protection reform framework and is separate from the GDPR. The Bill has provisions covering those involved in law enforcement processing.
  • National security is also outside the scope of EU law. The government has decided that it is important the intelligence services are required to comply with internationally recognised data protection standards, so there are provisions based on Council of Europe Data Protection Convention 108 that apply to them.

As the Bill makes its journey through Parliament, the Information Commissioner’s briefings will be published on its website. The briefings will be updated as necessary.


Information about the Bill’s progress through Parliament and transcripts of the debates can be found on the Parliament UK website.

The ICO’s introduction to the Data Protection Bill is available to download here.