08 August 2017

The Government have announced new data protection laws with the aim of giving people more control over how others use their personal data including the right to be forgotten.

The Data Protection Bill will see existing European privacy rules subsumed into British Law and replace the 1998 Data Protection Act.  

Here Matt Hancock, the Minister for Digital outlines the reason for change and why its important:

What are the key changes? 

Under the plans individuals will have more control over their data by having the right to be forgotten and ask for their personal data to be erased. This will also mean that people can ask social media channels to delete information they posted in their childhood. The reliance on default opt-out or pre-selected ‘tick boxes’, which are largely ignored, to give consent for organisations to collect personal data will also become a thing of the past.

In summary, the Data Protection Bill will:

  • Make it simpler to withdraw consent for the use of personal data
  • Allow people to ask for their personal data held by companies to be erased
  • Enable parents and guardians to give consent for their child’s data to be used
  • Require ‘explicit’ consent to be necessary for processing sensitive personal data
  • Expand the definition of ‘personal data’ to include IP addresses, internet cookies and DNA
  • Update and strengthen data protection law to reflect the changing nature and scope of the digital economy
  • Make it easier and free for individuals to require an organisation to disclose the personal data it holds on them
  • Make it easier for customers to move data between service providers
  • Create new criminal offences to deter organisations from either intentionally or recklessly creating situations where someone could be identified from anonymised data.

What areas will need to be addressed?

  • Privacy. Opt out boxes hidden at the end of forms and information on data use buried in Privacy policies may no longer be acceptable. Organisations must make consent to opt in explicit and be aware of who will have access to the data and what they will do with it.
  • Personal data. An expanded definition will bring IP addresses, cookies (and information on web browsing habits) and even DNA into scope. Organisations need to audit the data they collect and determine what falls in scope and whether the burden of collection/maintenance outweighs any burden.
  • Automated processing. Where algorithmic technology is used to form a profile of an individual, the GDPR stipulates that individuals can demand this processing is undertaken by a human and not a machine. As insurance applications and job applications increasingly rely on this kind of processing this edict could have a big impact.
  • Portability. Consumers should be able to move data between providers if required without barriers being put in their way. For example, documents stored on a cloud storage site should be able to be ported to another quickly and easily.
  • The right to be forgotten. Organisations will need to provide access to the personal data they hold on others. Requests can also be made to wipe data (including all social media posts made by individuals when they were younger than 18). Companies will need to consider data storage and retrieval systems and processes.

What are the consequences for transgressions?

The data protection regulator, the Information Commissioner’s Office (ICO), will also be given more power to defend consumer interests and issue higher fines, of up to £17 million or 4 per cent of global turnover, in cases of the most serious data breaches. The current Data Protection Act allows for a £500,000 maximum fine so the new limits represent a significant change with large companies potentially in line for very significant fines.

Two new criminal offences are also to be created with potentially unlimited fines. These are re-identifying people from anonymous data and changing/tampering with data requested by an individual.

What's happened so far?

A new set of cross-EU data rules comes into force from 25 May 2018. The UK has an obligation to update existing data rules to match them so they are equivalent to the European Union's laws. This will allow organisations to freely send and receive data within Europe following Brexit.

The Government consulted on derogation (exemptions) contained within the General Data Protection Regulation (GDPR) in April/May this year. Responses from over 150 individuals and 170 organisations were received and can be viewed on the GOV.UK website.

The Government issued a statement of intent - New Data Protection Bill: Our planned reforms - on 7 August as a commitment to updating and strengthening data protection laws through a new Data Protection Bill.

The bill will see the government exercise the available derogations and reproduce the exemptions and safeguards currently evident in the Data Protection Act and extend protections in some areas. The Information Commissioner will provide guidance on the transition to the new law.

What does all this mean for businesses?

Businesses need to get up to speed with what the new rules will mean and what impact they are likely to have on existing data collation and use. We'll be exploring the changes in more detail in the coming months here on theNBS.com.

Note that this article is not intended to construe legal advice or offer comprehensive guidance.