The Government has issued a statement of intent in which it has committed to updating and strengthening data protection laws through a new Data Protection Bill. The forthcoming EU General Data Protection Regulations (GDPR) will come into force in May 2018, and consequently, the intention of the Bill is to bring the EU Regulations into UK law. This will also ensure that the regulations are incorporated into UK law, and will not be affected by the UK’s departure from the European Union in 2019.
The GDPR and the new Bill will affect all businesses operating in the UK who control or process any personal data in any capacity, and so it is vital that you ensure that you are familiar with the obligations placed on your organisation prior to the implementation of the GDPR and Bill. Indeed, many companies have already begun to take pre-emptive action to ensure compliance. It was recently reported that Wetherspoon deleted its entire customer email database, in order to minimise their risk of non-compliance.
The Bill will also bring the UK’s data protection laws up to date, as there have been no substantial changes since 1998, and clearly, much has changed with regards to the way data is collected, used and processed. Technological development and societal shifts have left the 1998 legislation somewhat out of date and in need of an overhaul. The Bill will repeal and replace the previous Data Protection Act 1998.
The statement of intent details many proposed reforms which the Bill will seek to implement, and some of the key areas for businesses to be aware of are highlighted below.
Reinforced rights of individuals:
The Bill will reinforce the rights of individuals with regards to protection of their data, and will grant them the right to request deletion of their personal data in certain circumstances, for example, an individual will be able to require that social media platforms delete any postings made under the age of 18 under their new “right to be forgotten”.
There will also be focus on the rules surrounding consent; to ensure that there is no ambiguity as to what is being agreed to by the individual, such as pre-populated tick boxes for mailing lists and other third party contact.
Individuals will gain greater access to the data stored about them, and it will be made easier for them to move their data between service providers, promoting competition and innovation in the marketplace.
Individuals will also gain the right to request that where decisions are made about them based on solely automated processing, they can request that a person reviews how that decision was reached. This could affect many sectors, such as credit reference agencies, and other similar sectors which rely on automated processes.
Higher accountability and enhanced regulation:
The Bill will introduce more accountability for organisations that have permitted a breach. The Information Commissioner will retain existing powers and gain additional authority to impose greater sanctions for breaches.
The level for fines will be increased from the current maximum of £500,000 up to £17m, or 4% of the global turnover of an organisation. The most serious offences will become criminally recordable, and the Bill will modernise offences to suit the current digital age. Two new offences will be created, of intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data, and altering records with intent to prevent disclosure following a subject access request. Unlimited fines will be introduced for criminal offences, and in addition to the two new offences, existing offences will be widened.
The Bill is expected to be published in September 2017; however, the Government have made their intentions clear with the statement of intent. Until further details are known, it would be advisable for organisations to begin reviewing their current processes and procedures, and if they do not currently comply with the GDPR or the provisions set out by the statement of intent, advice should be sought on how best to begin to bring the organisation into compliance in anticipation.
If you would like to discuss this further, or have any concerns, please contact us, and we would be happy to discuss your options.