Britons will be able to gain more control over what happens to personal information under proposals outlined by the government and as part of the new GDPR regulations, that replace the Data Protection act in May next year. For example, citizens will be able to ask for personal data, or information posted when they were children, to be deleted.
The proposals are part of an overhaul of UK data protection laws drafted under Digital Minister, Matt Hancock.
Firms that flout the law will face bigger fines, levied by the UK’s data protection watchdog, fines can be of up to 4% of a Company’s global turn over. The bill will transfer the European Union’s General Data Protection Regulation (GDPR) into UK law. It is felt that, “the new Data Protection Bill will give the UK one of the most robust, yet dynamic, set of data laws in the world,” said Mr Hancock in a statement. “It will give people more control over their data, require more consent for its use, and prepare Britain for Brexit,” he added.
Proposals included in the bill will:
- Make it simpler for people to withdraw consent for their personal data to be used
- Let people ask for data to be deleted
- Require firms to obtain “explicit” consent when they process sensitive personal data
- Expand personal data to include IP addresses, DNA and small text files known as cookies
- Let people get hold of the information organisations hold on them much more freely
- Make re-identifying people from anonymised or pseudonymised data a criminal offence
This places a strong burden on firms to protect data and allows for significant fines if they fail to protect information or suffer a breach.
The world of social media will be affected, people who worry about embarrassing social media posts lingering online for years, can soon have the right to ask for them to be removed. And should anyone wish for any firm that holds your personal data – from your name to your DNA – you will be able to ask them to delete it. There are, however, arguments that those holding the data can put forward to refuse such requests, such as freedom of expression and matters that are of scientific or historical importance or have a legal requirement such as the NHS.
Many of these measures are already part of the EU’s forthcoming GDPR, but they are also being woven into the government’s bill. All of this goes beyond the “right to be forgotten” rules that already apply to search engines – those affect what can be listed in search results – but the GDPR and associated legislation impact data held by a wide range of companies.
In the UK firms that suffer a serious data breach could be fined up to £17m or 4% of global turnover. The current maximum fine firms can suffer for breaking data protection laws is £500,000.
The UK’s Information Commissioner will have its powers strengthened and extended to help it police the new regime. Elizabeth Denham, the information commissioner, was quoted to have said: “We are pleased the government recognises the importance of data protection, its central role in increasing trust and confidence in the digital economy and the benefits the enhanced protections will bring to the public.”
Larger companies are well versed on the requirements moving forward but small companies were largely in the dark about what the proposed law would mean for them, warned Mike Cherry, national chairman at the Federation of Small Businesses. “They simply aren’t aware of what they will need to do, which creates a real risk of companies inadvertently facing fines,” he said.