bto solicitors - Corporate & Commercial Business Lawyers Glasgow Edinburgh Scotland

  • "really fights your corner..."
    "really fights your corner..." Chambers UK
  • "Consistently high-quality work and client-friendly approach."
    "Consistently high-quality work and client-friendly approach." Chambers UK

GDPR Updates: A Little Bit of Certainty

08 August 2017

The Government published its Statement of Intent yesterday in relation to the new Data Protection Bill anticipated in September 2017. This had been mentioned by the Queen, no less, in her speech following the 2017 General Election. This was also published taking into account the views expressed by those responding to the consultation exercise which took place earlier this year identifying the areas where the UK Government can derogate from the provisions in the GDPR.

Whilst there was little clarification contained in this statement, we can now say that the following issues are clear/clearer.

Criminal Offences

There will be three new criminal offences:

  • Intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data
  • Altering records with a view to preventing disclosure following a subject access request; and
  • Widening the offence of unlawfully obtaining data 

In relation to sentencing, it appears that imprisonment will not be an option for offences under the new Data Protection Act and that fines will remain the only option in relation to sentencing.

Children’s Consent

The Government has clarified that children aged 13 and over can provide consent to their personal data being processed. This also means that they can make subject access requests on their own behalf and indeed, once a child has reached 13, parents should not be provided with their child’s personal data without their consent. One for schools to be aware of.

Processing of Criminal Conviction and Offence Data

There is an exemption in relation to this under the Data Protection Act 1998 which applies to all organisations and the Government has decided to keep that exemption in place. Under the GDPR the exemption only applies to those vested with official authority.

Automated Decision making

The Government will allow this to take place as long as there are suitable safeguards are put in place to ensure the rights, freedoms and legitimate interests of the individual. This includes the right to object to automated processing if it produces an outcome with legal or similar effects without human intervention.

National Security

There is no provision in relation to data processing for national security reasons in the GPDR as the EU does not have jurisdiction there. However the Government will provide a distinct data protection framework in the Bill in line with the Council of Europe’s Convention.

Cyber Security Breaches

The Government recognises that effective data protection in part relies on data security and refers to the National Cyber Security Centre and Cyber Essentials. It also notes that the new data breach reporting requirement will contribute to richer source of data on cybersecurity breaches. It will be interesting to see how this is implemented as the Scottish Government and Police Scotland will also be interested in sharing this data.


In my view, this statement provided very little certainty other than confirming that the age of consent will be 13 in the UK, which was expected anyway. The Bill expected after the summer recess will hopefully provide more.

For more info visit our GDPR updates page.


“The level of service has always been excellent, with properly experienced solicitors dealing with appropriate cases" Legal 500

Contact BTO


  • 48 St. Vincent Street
  • Glasgow
  • G2 5HS
  • T:+44 (0)141 221 8012
  • F:+44 (0)141 221 7803


  • One Edinburgh Quay
  • Edinburgh
  • EH3 9QG
  • T:+44 (0)131 222 2939
  • F:+44 (0)131 222 2949