The Government has announced its plans to update and strengthen the UK’s data protection laws following Brexit through a new Data Protection Bill. The Data Protection Bill is intended to make it easier for individuals to investigate how their personal information is being used by businesses and greatly increase their power to use the “right to be forgotten”. The proposals are part of an overhaul of UK data protection laws drafted under Digital Minister, Matt Hancock.
“The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world,” said Mr Hancock in a statement.
“It will give people more control over their data, require more consent for its use, and prepare Britain for Brexit,” he added.
The Government has stated that their proposals included in the bill will:
- Make it easier for individuals to withdraw their consent for the use of personal data.
- Allow people to ask for their personal data held by businesses to be erased.
- Enable parents and guardians to give consent for their child’s data to be used.
- Require ‘explicit’ consent to be necessary for processing sensitive personal data.
- Expand the definition of ‘personal data’ to include IP addresses, internet cookies and DNA.
- Update and strengthen data protection law to reflect the changing nature and scope of the digital economy.
- Make it easier and free for individuals to require an organisation to disclose the personal data it holds about them.
- Make it easier for customers to move data between service providers.
The Data Protection Bill will place a strong burden on organisations to protect data and provides for significant fines if they fail to protect information or suffer a breach. In the UK, organisations that suffer a serious data breach could be fined up to £17m or 4% of global turnover whereas the current maximum fine for breaking data protection laws is £500,000.
The proposed legislation is intended to bring the European Union’s General Data Protection Regulation (“GDPR”) into domestic law which will mean the data protection systems are aligned after Brexit. Many of the provisions are already contained in the GDPR.
Elizabeth Denham, Information Commissioner, said “We are pleased the government recognises the importance of data protection, its central role in increasing trust and confidence in the digital economy and the benefits the enhanced protections will bring to the public.”
Julian David, CEO of techUK, said “The UK has always been a world leader in data protection and data-driven innovation. Key to realising the full opportunities of data is building a culture of trust and confidence.
This statement of intent is an important and welcome first step in that process. techUK supports the aim of a Data Protection Bill that implements GDPR in full, puts the UK in a strong position to secure unhindered data flows once it has left the EU, and gives businesses the clarity they need about their new obligations.”
Organisations who are prepared for the GDPR’s implementation next May 2018 will likely be well-prepared for when the laws proposed in the Data Protection Bill come into effect. With the increased fines for non-compliance and the upcoming changes to the data protection regime in the UK, it is now more important than ever to audit your organisation’s handling of personal data and ensure that appropriate safeguards are in place to avoid potentially ruinous consequences.