The UK government has published a statement of intent, setting out details of the upcoming Data Protection Bill (DPB) which is intended to give effect to the EU General Data Protection Regulation (GDPR) in the UK from May 2018.
The purpose of the new DPB is designed to modernise a system which has not been updated since 1998 and to grant people more control over their personal data.
It has been described by the digital minister as giving us “one of the most robust, yet dynamic, set of data laws in the world” that “protect privacy, strengthens rights and empowers individuals to have more control over their personal data”.
There are a number of new measures proposed, including perhaps most notably “the right to be forgotten”. That means that consumers will be able to ask businesses and organisations for access their personal data and for it to be deleted. The UK is also choosing to extend this right to include the requirement for social media companies to delete all data held on a person before they turn 18 if they ask them to do so.
The definition of personal data has also been extended to include IP addresses, cookies (not the chocolate chip kind) and also DNA.
It will also become much more difficult to obtain consent to data processing in relation to email addresses and those “opt in/opt out” boxes that we all forget to tick or untick in completing our online orders. The proposed new laws will mean that opt out boxes will now be insufficient for establishing consent. There will also be heavier restrictions in relation to automated data processing and decision making.
It is yet to be seen how this will operate in practice but it seems possible that this will give rise to greater claims regarding breaches of data protection as businesses try to get up to speed with the various measures required to ensure that they are complying with the new laws. The right not to be subject to automated decision-making will no doubt have an impact on certain businesses, including financial services, that rely heavily on this type of data processing. There were also be stricter penalties for those that fail to comply with the new laws, including fines for up to £17m (up from £500,000 under the Data Protection Act) and new criminal offences for re-identifying people from anonymous data and for changing data after a data request with the intent of preventing disclosure which can see the issue of fines up to level 5 on the standard scale.
Regardless of what happens with the Bill, the GDPR will come into force from 25 May 2018 with no grace period to allow for businesses to get up to speed therefore preparation is key!