The UK government will soon put forward a new data protection bill which is hoped to refresh the 1998 Data Protection Act in line with the EU’s planned implementation of the general data protection act (GDPR) in May 2018.

A step up from British Prime Minister Theresa May’s pledge to implement such a bill during the run up to the elections, the statement of intent by the country’s Minister for Digital, Matthew Hancock, promises a bill “fit for the digital age in which we live.”

Cracking down

Matthew Hancock, British Minister of Digital, Culture, Media and Sport
Matthew Hancock, British Minister of Digital, Culture, Media and Sport – Wikipedia

If the proposals are voted through by Parliament, companies in breach of the law could face fines of up to £17m ($22.24m) (or 4 percent of global turnover depending on the severity of the offense and the company’s revenue) if they are found to have failed to protect people’s data. At present, the maximum penalty in the UK is £500,000 ($651,300). 

Under the new bill, the Information Commissioner’s Office - the UK’s independent body whose role is to uphold information rights - will gain in authority, allowing it not only to impose higher fines but also to issue recordable prosecutions. The offenses it will be charged with overseeing will be ”modernized to ensure that prosecutions continue to be effective.” 

The regime will make it easier for individuals to force companies to disclose what personal data they hold on them, to ask for it to be corrected if it is wrong, to be deleted or to withdraw one’s consent for it to be used. It will require that firms obtain “explicit” consent to process sensitive data, and expand the definition of what falls under the denomination of personal data to include IP addresses, biometrics and cookies. 

It will also ban the re-identification of individuals on the basis of anonymized or pseudonymized data, extending the rule to the handling or processing of such data. Pre-ticked boxes and default opt-outs will be also be made illegal under the legislation, to ensure people’s active consent.

GDPR stipulates that parents must give their consent for any children under 16 to use the Internet, but the UK proposed bill would make this so but for children under the age of 13, as agreed with the EU. 

Finally the draft states that the bill will ensure that data circulates freely between the UK in the EU, even after Britain’s exit from the union.

However holding people’s data against their wishes will remain legally justified by organizations if deleting it would threaten the public’s freedom of information or if it is considered of prime importance for research purposes.

Breaking old habits

As with GDPR, the new bill will require that British companies employ a data protection officer and adapt their use of data ahead of its implementation.

Greg Hanson, the EMEA VP for Informatica’s cloud business stated that ”UK companies must have a comprehensive view over all the relevant data they hold if they are to comply with the new Data Protection Bill. If a customer triggers their ”right to be forgotten” and the business doesn’t have a comprehensive data management strategy, it can’t guarantee to delete all the necessary information. With fines of £17m ($22.24m) or 4 per cent of global turnover for non-compliance, good data management just became an essential for all consumer facing businesses.”

”As a result, UK businesses need to identify which data will be subject to the new law and ensure that it can be easily accessed and deleted if needs be. To do this, they should map out all their data across the whole organization, no matter where it is stored. Many companies have built up vast databases of personal information over the years, so an automated data discovery system is essential - humans can’t process it all in time.

“A powerful automated data management strategy is essential if UK businesses are to gain the deep insight they need to ensure they are compliant.”