The new Data Protection Bill will update the current Data Protection Act, which was introduced in 1998, and aims to give citizens more control over their online data, as well as give the authorities more power to impose tougher sanctions on firms that don’t comply.
The government has previously said that it would continue to comply with EU GDPR rules following the UK’s decision to leave the European Union, in order to keep close data links with other member states.
A House of Lords Select Committee recently warned that the UK shouldn’t isolate itself from the EU when it comes to data legislation and any future trade deals, in order to avoid a “cliff edge” when we do leave the Union by the end of March 2019.
Under the new legislation, individuals will have more control over their data by having the right to be forgotten and to ask for their personal data to be erased. For example, citizens will be able to ask social media companies to delete information posted about themselves.
The government said that the reliance on default op-out or pre-selected ‘tick boxes’, which are largely ignored, to give consent for organisations to collect personal data will become a thing of the past.
The UK’s data protection regulator, the Information Commissioner’s Office (ICO), will be given more powers and will be able to issue higher fines, which could reach up to £17 million or 4 per cent of global turnover. The highest maximum fine is currently £500,000.
Matt Hancock, Minister of State for Digital said:
Our measures are designed to support businesses in their use of data, and give consumers the confidence that their data is protected and those who misuse it will be held to account.
The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world. The Bill will give people more control over their data, require more consent for its use, and prepare Britain for Brexit. We have some of the best data science in the world and this new law will help it to thrive.
Elizabeth Denham, Information Commissioner, said:
We are pleased the government recognises the importance of data protection, its central role in increasing trust and confidence in the digital economy and the benefits the enhanced protections will bring to the public.
Julian David, CEO of techUK, said:
The UK has always been a world leader in data protection and data-driven innovation. Key to realising the full opportunities of data is building a culture of trust and confidence.
This statement of intent is an important and welcome first step in that process. techUK supports the aim of a Data Protection Bill that implements GDPR in full, puts the UK in a strong position to secure unhindered data flows once it has left the EU, and gives businesses the clarity they need about their new obligations.
As noted above, the new Data Protection Bill will bring the European Union’s GDPR into UK law, which the government states will help “Britain prepare for a successful Brexit”.
Within the government’s statement of intent for the new bill, it highlights the main changes in rights for citizens and the new obligations for data controllers and processors (i.e. companies). Plenty of research has indicated that many firms are woefully underprepared for the new legislation, which they now have less than a year to prepare for (the law comes into effect on 28th May 2018).
For individuals, new rights include:
- Right to access your data - The GDPR requires that data controllers provide individuals the first copy of the personal data undergoing processing free of charge. For any further copies requested, the controller may charge a “reasonable fee” based on administrative costs.
- Data portability – A new right to data portability, which allows for individuals to receive the personal data, which they have provided to a controller, in a structured, commonly used and machine-readable format, and to transmit them to another data controller.
- Right to be forgotten – The GDPR widens the existing ‘right to be forgotten’, including the right for individuals to obtain erasure of personal data relating to them and the abstention from further dissemination of such data. The principle difference is a strengthening of the law from being applicable when substantial damage or distress is likely to be caused, to whenever a data subject withdraws their original consent for the data to be available, as long as it is no longer necessary or legally required for the grounds on which it was originally collected, or there are no overriding legitimate grounds for processing.
- Legal remedy – There is greater scope for enforcing rights under the GDPR. Where an individual is affected by an infringement of data protection rules, it should be possible for actions to be brought on behalf of similarly affected individuals by a representative entity (e.g. ombudsman, consumer or civil society bodies).
For data controllers and processors, the new obligations include:
- Data breach notification – The GDPR adds a requirement for data controllers to notify the supervisory authority (ICO in the UK) of personal data breaches, without undue delay, and within 72 hours where this is feasible, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of an individual.
- Abolishing processing notifications - The GDPR abolishes the current system requiring data controllers to notify the supervisory authority of their processing of personal data. Currently data controllers must notify the ICO of their data processing activities and pay a fee.
- Data Protection Impact Assessments - A requirement that data controllers or processors must undertake a data protection impact assessment on data processing which presents high risks.
- Data protection officers - A requirement that data controllers or processors must designate a data protection officer if they are a public authority or body (except for courts); or their core activities include processing operations which are regular and systematic on a large scale or including processing special categories of personal data and data relating to criminal convictions or offences.
- Administrative sanctions – A new range of administrative sanctions for a wide range of infringements of the Regulation are introduced by the GDPR. Penalties of up to £17m (€20m) or 4% of global turnover.
The announcement today is simply the government’s formal intention to introduce the Data Protection Bill, which was detailed in the Queen’s speech. It also builds on commitments already made by the government to comply with the EU’s GDPR. However, it serves as a reminder that companies don’t have much time left to prepare for the extensive changes being introduced.