In early August, the UK Government published its Statement of Intent in relation to a proposed Data Protection Bill. PwC’s initial analysis, which can be found here, notes that the proposed Bill largely reflects the General Data Protection Regulation (GDPR).
Notably, the Statement of Intent does divert from the GDPR in at least one area: it sets out a proposed new offence which relates to:
‘intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data. Offenders who knowingly handle or process such data will also be guilty of an offence. The maximum penalty would be an unlimited fine.’
The proposal is striking for a number of reasons:
The wording of the proposed offence – as currently drafted - opens up the possibility that anonymised data could be manipulated to re-identify individuals.
