New data bill to pass GDPR into UK law
The government has confirmed what techies were told to expect – that Britain’s exit from the EU will not stop European privacy rules coming into force.
In fact, from May 25th 2018, The General Data Protection Regulation will become effective across the UK, confirms an official ‘statement of intent’ published yesterday.
Designed to ‘protect Britain in the digital age’ by updating the Data Protection Act (unchanged since 1998), a new Data Protection Bill for the UK will bring GDPR into UK law.
But as the GDPR requires some modification to make it work for the benefit of the UK, the bill will make the necessary changes.
'Right to be forgotten'
Under the plans, individuals will have more control over their data by having the 'right to be forgotten' and ask for their personal data to be erased.
This will also mean that Britons can ask social media channels to delete information they posted in their childhood (before they were aged 18).
In addition, the reliance on default opt-out or pre-selected ‘tick boxes’, which are largely ignored, to give consent for organisations to collect personal data will also "become a thing of the past," the government claimed.
But for ‘data-controllers,’ they will face heftier fines of up to £17million (or four per cent of global turnover), and the definition of “personal data” will be expanded to include internet cookies, IP addresses and DNA.
Business groups sound generally supportive, even though it is their members who stand to be affected by having to meet the new, stricter data protection requirements.
The CBI said: “This legislation strikes the right balance in improving standards of protection while still enabling businesses to explore new products and services.”
But with the penalty for breaching UK data laws due to dwarf its current maximum of £500,000, the price for non-compliance could be “fatal,” warns Informatica.
“Businesses need to identify which data will be subject to the new [right to be forgotten] law and ensure that it can be easily accessed and deleted if needs be.
“To do this, they should map out all their data across the whole organisation, no matter where it is stored,” said the data firm’s Greg Hanson.
In addition, the bill will also:
- Enable parents and guardians to give consent for their child’s data to be used
- Require ‘explicit’ consent to be necessary for processing sensitive personal data
- Make it easier and free for individuals to require an organisation to disclose the personal data it holds on them
- Make it easier for customers to move data between service providers (known as 'data portability')
The government also says that new criminal offences will be created to deter organisations from either intentionally or "recklessly" creating situations where someone could be identified from anonymised data.
But Tech UK said it welcomed the bill, which comes as more than 80% of people say they do not feel they have complete control over their data online.
The body said: “[We support] the aim of a Data Protection Bill that implements GDPR in full, puts the UK in a strong position to secure unhindered data flows once it has left the EU, and gives businesses the clarity they need about their new obligations.”