Regulation Updates

What are The Law Commission’s proposals for the Official Secrets Act review? 

  • Civil servants who leak files of state secrets could be jailed for up to 14 years. Currently the maximum term is two years, under the Official Secrets Act 1989
  • Official secrets legislation to be expanded to cover “information that affects the economic well-being of the United Kingdom in so far as it relates to national security”
  • Foreigners who leak classified information overseas that damages British national security could be prosecuted in the UK for the first time
  • Dropping the use of the word “enemy” to describe foreign powers which are hostile to the UK to allow prosecutions for leaking of information to terrorist groups
  • “Anachronistic” jargon to describe secrets in law  like “sketches”, “plans”, “models”, “passwords” and “code words” to be replaced with the more generic “information”
  • The Official Secrets Acts 1911, 1920 and 1939 to be replaced with a modernised Espionage Act
  • The Official Secrets Act 1989 to be replaced with a data disclosure law amid concerns that it is “archaic” and has failed to keep pace with advances in technology
  • Prosecutors no longer to have to prove damage to national security to secure a conviction for disclosure of classified information
  • Spies and civil servants to be allowed “to seek authority” to release confidential information
  • An offence is committed if the defendant “knew or had reasonable grounds to believe his or her conduct was capable of benefitting a foreign power”

What will the Great Repeal Bill mean for UK citizens?

The Great Repeal Bill will allow for UK legislators to pick and choose which European Laws the UK has to follow. In the case of data protection, EU courts will no longer have jurisdiction over UK matters of Human Rights.

When will it happen?

The legislation will be introduced in the next parliamentary session, which starts with the Queen’s speech next May. It would need to be ready by the day the UK leaves the EU, which is now likely to be before March 2019.

General Data Protection Regulation (GDPR)

What is it?

Essentially the legislation aims to protect the rights of European citizens to determine whether, when, how and to whom their personal information is issued – and how it can be used.

The EU General Data Protection Regulation (GDPR) replaces the EU Data Protection Directive and comes into effect on 25 May 2018. It sets out a number of principles which are broadly similar to those already in the UK’s Data Protection Act. However, one key difference is that the GDPR applies to all companies processing and holding the personal data of people residing in the European Union – regardless of the company’s location. Consistency is a driving factor behind the regulation.

From 25 May 2018, all organisations that process the data of EU residents (personally identifiable data) will be required to abide by a number of requirements – or face significant penalties (e.g. fines of up to 4% of annual global turnover or €20 million – whichever is the greater).

Key requirements include:

  • The collection and processing of personal data
  • The rights of people
  • Data protection impact assessments
  • The role of the data protection officer and whether you need one
  • Data breaches – when and who to notify (72 hour rule)
  • Obligations for international data transfers.

How does it affect Organisations?

Data “controllers” (CIOs, CTOs etc.) within organisations need to be aware of all personal data under their control and be able to demonstrate that they understand the potential risks to information, as well as how to mitigate those risks. All within the next two years.

The advice of the Information Commissioners Office is that businesses need to start planning their approach to GDPR compliance as early as they can.

Brexit Impact

Numerous sources have discussed that the Brexit vote will have some impact on how all this works in the UK. However, the fact that GDPR applies to all companies holding data on EU citizens means that many UK businesses that trade with Europe will still need to comply with its rules even after Britain leaves the EU.

 What are the key dates?

 No milestone dates have been announced, however, numerous sources talk about the steps organisations can take now to prepare.


For a full timeline of the regulatory updates concerning privacy and security, click here.