The new Data Protection Bill explained
Who owns your personal data? It might sound like a simple question, but the ways in which data is collected from individuals and processed by organisations is a complex and ongoing debate. Ultimately, it’s up to the law to define the rules around data protection, and tell businesses what they can and can’t do with your details.
As promised in the Queen’s Speech earlier this year, the UK government is pushing forward with a new Data Protection Bill. Included in the bill are new rules strengthening the so-called ‘right to be forgotten’ – the idea that consumers should be able to request the deletion of their data held by social media platforms and businesses in general. This comes alongside a range of other privacy-tightening initiatives.
Embarrassing Facebook pics? Forget about it
Everyone makes mistakes, especially growing up. But while the youthful excesses of previous generations could be reliably swallowed up by the sands of time, today’s youngsters aren’t so lucky.
It’s almost impossible to be active on social media and remain anonymous, with some past indiscretions out there for the whole world to see – including potential employers.
The right to be forgotten means the power to ask external parties to delete your data. It could be because you don’t want colleagues to see those embarrassing photos, or that you simply withdraw consent for your personal information to be held by a particular business.
While established rules allow individuals to request the removal of their data from search engine results, the new bill extends this concept significantly.
As long as the data is no longer required for its original purpose, the Data Protection Bill will compel organisations to erase it on request – especially if the individual was a child when the data was collected. That said, exceptions could theoretically apply when freedom of expression, historical importance or public interest is involved.
Personal data: handle with care
The new bill includes additional data privacy measures, with the digital minister, Matt Hancock explaining how ‘The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world.’
Mr Hancock added that ‘It will give people more control over their data, require more consent for its use, and prepare Britain for Brexit’.
The definition of personal data will be expanded to cover things like IP addresses, browser cookies, and even DNA. Individuals should be able to have these deleted at will, or gain access to them personally, with a minimum of fuss.
Emphasis on the concept of ‘data portability’ means that data should be easier to export or transfer, e.g. from a company to an individual consumer, or between service providers when switching over.
Another key concept is ‘privacy by default and design’. By now you’re probably used to clicking a box not to receive future updates and offers. This is set to change, with new requirements for organisations to obtain explicit consent before they can hold your details on file. In other words, the default setting will be opt-out, not in. You also shouldn’t have to dig through mile-long user agreements to see what happens to your data.
Currently, the most severe punishment for organisations that suffer serious data breaches is a maximum fine of £500,000. Even then, some of the biggest, most well-known losses of consumer data have resulted in significantly lower penalties.
The new bill with introduce fines of up to £17 million, or four percent of the organisation’s global turnover. In addition, the Information Commissioner’s Office (ICO) will need to be notified of any breach within 72 hours.
Part of the reasoning behind these increased penalties is to ensure providers of essential services like water, energy, transport and healthcare are more prepared for serious cyberattacks, such as the one that hit the NHS earlier this year.
46 percent of British businesses were affected by some form of breach or attack over the last year – the idea is to clamp down on this number by deterring lax security and encouraging organisations to put the best possible safeguards in place.
Even steeper penalties could be incurred by anyone who attempts to re-identify individuals based on anonymised data. For example, piecing together fragments of information to reveal an individual’s identity against their will.
The Brexit factor
The new Data Protection Bill is largely intended to mirror the General Data Protection Regulation. As we’ve previously highlighted, even though the GDPR is an EU regulation, UK law needs to demonstrate equivalence with other countries on the continent to ensure continued data flow in a post-Brexit world.
And it’s not just about the GDPR, either. The EU is working on other regulations, such as the Network and Information Systems (NIS) directive, focusing more on the protection of services and infrastructure, rather than just the personal data emphasised by the GDPR.
With all these new developments, it’s advisable to stay on top of new data privacy regulations wherever possible, with a good overview of data protection reform available from ICO. This is especially true if your organisation regularly collects personal data from customers.