Data protection act exemptions: what you need to know before GDPR

The UK government is implementing the requirements of GDPR directly into UK law in order to ensure a smooth switch-over, post Brexit. It has recently been confirmed that the current exemptions given in the existing data protection legislation will continue to apply.

Given that the current exemptions are reported to have “worked well” under the Data Protection Act, they will continue to be exempt when the GDPR is brought into force. The exemptions cover professions including journalism, research institutions that hold research data, and financial services.

According to a statement made by the UK government, the exemptions remain necessary “to ensure that UK businesses and organisations can continue to support world leading research, financial services, journalism and legal services”.

In other words, the government recognises that there are certain situations in which an individual or organisation may have a legitimate reason to want or need to access a data subject’s private data. The most obvious reason is to protect against activities that are unethical and/or illegal (such as sports doping, money laundering and fraud).

It’s important to understand that the exemption only applies where there is a good reason for it to do so.

In short, it applies where there is a strong argument that the individual’s de facto right to privacy is less important than the need to protect against a recognised threat (such as terrorist financing).

The exemption does not give any individual or organisation free rein to access personal data as they see fit. For example, an investigative journalist could reasonably use the exemption to cover themselves if they were investigating a public figure whom they had good cause to believe had been involved in corrupt activities, but they could not use it to justify hacking into a celebrity’s voicemail.

Although the UK government has named four sectors as being likely to need this exemption, in principle it can apply anywhere it can justifiably be said that the needs of the many (the public interest) outweigh the needs of the few (the data subject).

The key point is that the data must be being accessed for a specific and legitimate purpose.

The best approach to the new legislation is to assume that all data subjects have a full right to privacy unless they have given their consent for their data to be used, but to be aware that there is an exemption to this rule, which might be used if need be.

If a business can foresee a need to monitor a person’s data, for example to ensure compliance with one or more laws, then it is best to obtain consent for this at the point of sale.

If this is made standard practice, you avoid alerting any particular data subject of whom you may have suspicions.

If, in spite of this, you find yourself in a situation where you believe that you have reasonable grounds to need or want access to a data subject’s information without their consent then you may have the legal right to do so, but it is strongly recommended to get specialist advice first.