UK to enshrine GDPR with data protection law revamp
Overhaul of data protection laws will make it simpler for users to delete their data, with non-compliant companies facing fines up to 4% of global turnover
The UK government has unveiled plans to overhaul the country’s data protection laws in a move that will bring rules more in line with the EU’s incoming General Data Protection Rule.
The proposals will see Britons given more control over what happens to personal information, meaning they can ask some for some data to be deleted.
Firms who flout the proposals, which are part of an overhaul drafted by digital minister Matt Hancock, will face potentially large fines – up to £17 million or 4% of global turnover. This is up from £500,000 in current law, and the powers will be enacted by the UK’s Information Commissioner, the government said.
"The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world," said Hancock in a statement.
"It will give people more control over their data, require more consent for its use, and prepare Britain for Brexit.”
The new proposals will bring British law in line with the GDPR, which is set to go live next year, setting a number of new obligations on companies. These will include:
•Making it simpler for people to withdraw consent for personal data to be used
•Let people ask for data to be deleted
•Obtain explicit consent before processing sensitive personal data
•Allow people to obtain the information the companies hold on them much more freely.
The proposals will also make re-identifying people from anonymised data into a criminal offence, whilst also expanding the term data to include IP addresses, DNA and cookies.
Elizabeth Denham, the information commissioner, said: "We are pleased the government recognises the importance of data protection, its central role in increasing trust and confidence in the digital economy and the benefits the enhanced protections will bring to the public."
Though the law is in line with the EU’s GDPR, a question mark still remains over what purpose it serves, as UK companies would still be subject to the EU rule once it comes into force in May. With the country’s exit from the European Union pending, this would possibly cover for that, although it is important to note that the GDPR covers any data controllers (organisation that collects data from EU residents), processors (organisation that processes data on behalf of data controller, or data subject (person) within the EU.
In other words, UK companies who operate in Europe or process the data of European citizens would have been subject to GDPR post-Brexit anyway.
According to Veritas Technologies, a cloud data management business, a recent survey of more than 900 companies found 31%claimed to be ready for the new EU rules, but almost a fifth of those admitted they could not erase or modify personal data.
The cost of breaching the new rules, whether they be the UK’s version or the EU’s, are potentially high. In its statement of intent, the government said companies carrying out high-risk data processing will be “obliged to carry out impact assessments to understand the risks involved” in handling it. This could impact the data centre and telecoms market significantly.