On Thursday, April 20^th, the UK government launched a “Call for Views” regarding the UK’s options for the implementation of the new EU General Data Protection Regulation (GDPR) at national level.  The consultation deadline is May 10^th, at mid-day UK time.

Although the GDPR was an effort to bring greater harmonization to data protection regimes throughout the EU, it nevertheless contains a number of areas in which national laws can deviate from its default position – for instance to permit researchers to store and use health data without having to repeatedly seek consents, or to ensure that freedom of expression is not unfairly curtailed by the “right to be forgotten.”

The UK consultation therefore asks for input about how those national “derogations” should be exercised (if at all), grouping them into the following 15 “Themes”:

1. Supervisory authority powers and procedures

2. Sanctions

3. Demonstrating compliance (e.g. codes of conduct and record-keeping)

4. Data protection officers

5. Archiving and research

6. Third country transfers (exports of personal data to non-EEA countries)

7. Sensitive personal data and exceptions

8. Criminal convictions

9. Rights and remedies (e.g. protection against algorithm-driven decision-making, and the availability of collective redress mechanisms)

10. Processing of children’s personal data by online services (e.g. age under which apps and website must obtain consent from a parent)

11. Freedom of expression in the media (e.g. exceptions from the “right to be forgotten” by media organisations, and from the right to information about their sources)

12. Processing of data (a broad “theme” everything from basic fairness and “further processing” conditions, through to HR data processing, via topics as broad as information security, data protection impact assessments, and use of third party “data processors”).

13. Restrictions (the setting aside of GDPR rules that conflict with a public interest, for instance national security)

14. Rules surrounding churches and religious associations

15. Additional (overarching) question: “in the context of the derogations above, what steps should the Government take to minimise the cost or burden to business of the GDPR?”