The Data Protection Bill, likely to become the UK Data Protection Act, will give effect to the GDPR in the UK. As for every member state, the UK has certain derogations and flexibilities around the GDPR provisions. One such area is the UK’s proposal to include criminal sanctions for directors, similar to the existing provisions under the existing DPA 1998.
Section 177 of the Data Protection Bill provides that where a company commits an offence under the proposed Data Protection Act, and it is proved that it was done with the consent, connivance or with attribution to the negligence of a director or officer, then the D&O will be guilty of the offence as well as the company.
Proposed offences under the Data Protection Bill include:
- Obstructing the ICO’s inspection of personal data in order to comply with international obligations, refusing to provide information to the ICO when formally requested or giving false information;
- Obtaining or disclosing personal data without the consent of the controller (the current s55 DPA criminal offence which has been used to prosecute individuals who have unlawfully traded in personal data such as mobile phone contract renewal dates and insurance claims histories); and,
- Altering personal data to prevent disclosure in response to subject access requests.
The Data Protection Bill is yet to receive final ratification so these provisions could still be removed. However, the ICO has been calling for increased directorial responsibility and sanctions, and similar provisions are already in the DPA 1998, so they stand a good chance of becoming enshrined in law.
The ICO wants to see directors take responsibility and we may see more criminal cases. Beyond GDPR, there is also the UK’s Data Protection Bill and this has a particular section relating to criminal offences and directors’ liability