The UK Government has formally announced a new Data Protection Bill, keeping in line with EU’s GDPR.
The move means that UK firms will have to ensure they comply with the upcoming EU privacy laws that give new protections to consumer’s online data (and hand out big fines for companies that breach them).
Digital Minister, Matt Hancock, has formally announced the government’s intent to overhaul its data protection laws, in the form of a new Data Protection Bill, to keep the UK in line with the EU’s forthcoming GDPR law.
The new Data Protection Bill will update the current Data Protection Act, which was introduced in 1998, and aims to give citizens more control over their online data, as well as give the authorities more power to impose tougher sanctions on firms that don’t comply.
The government has previously said that it would continue to comply with EU GDPR rules following the UK’s decision to leave the European Union, in order to keep close data links with other member states.
A House of Lords Select Committee recently warned that the UK shouldn’t isolate itself from the EU when it comes to data legislation and any future trade deals, in order to avoid a “cliff edge” when we do leave the Union by the end of March 2019.
Right to be forgotten
Under the new legislation, individuals will have more control over their data by having the right to be forgotten and to ask for their personal data to be erased.
For example, citizens will be able to ask social media companies to delete information posted about themselves.
The government said that the reliance on default op-out or pre-selected ‘tick boxes’, which are largely ignored, to give consent for organisations to collect personal data will become a thing of the past.
The UK’s data protection regulator, the Information Commissioner’s Office (ICO), will be given more powers and will be able to issue higher fines, which could reach up to £17 million or 4 per cent of global turnover. The highest maximum fine is currently £500,000.
Matt Hancock, Minister of State for Digital said: “Our measures are designed to support businesses in their use of data, and give consumers the confidence that their data is protected and those who misuse it will be held to account.
“The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world. The Bill will give people more control over their data, require more consent for its use, and prepare Britain for Brexit. We have some of the best data science in the world and this new law will help it to thrive.
Elizabeth Denham, Information Commissioner, said: “We are pleased the government recognises the importance of data protection, its central role in increasing trust and confidence in the digital economy and the benefits the enhanced protections will bring to the public.
“Many businesses still not budgeting for data changes”
Commenting on the news that Britons could obtain more control over what happens to personal information under proposals outlined by the government, Mishcon de Reya Cyber Security Lead Joe Hancock said: “These proposals appear to be primarily intended to transfer the European General Data Protection Regulation (GDPR) into UK law, which means that businesses will not have much time to ensure they are compliant by May 2018 when the GDPR comes into force.
“Many businesses still rely simply on data policies to drive compliance, as we have seen with approaches to the current data protection act. This approach has not prevented many incidents of data loss or misuse.
“The GDPR aims to support the wider digital economy and use of personal data and goes much deeper, requiring a business to understand its data and how it is actually managed day to day.
“Transparency and openness are the key to building trust in how businesses process data. Clearly telling customers how you collect their data and use it, in plain English, should go a long way to addressing many of the frustrations with data collection practices.
“These laws are intended to protect individuals, not to penalise businesses: it’s entirely possible for businesses to collect and use personal data if it is done in a managed and open way.
“It is clear that privacy and security of data needs to be taken seriously. It seems that many businesses still do not budget for the effort required to do this properly. Getting the basics right and complying with regulation should prevent a lot of the problems we see today.
“For over a year we have been hearing about the large fines that these changes will bring, but the threat alone will not help to improve the levels of data protection.
“As a headline, the right to be forgotten is a positive move for the protection of children and young people. Since 2000, we have a truly digital generation whose entire lives will have been lived online. This right to be forgotten and the wider rights to access, correct and delete data will put individuals in control of their own data.”