The government has released details of the contents of the new data protection bill, which will grant Britons more control over their personal data.
The Bill will impose elements of the European Union’s General Data Protection Regulation (GDPR) into UK law and aims to ensure that the UK’s data protection regime is fit for the Information Age.
An overview of the new Data Protection Bill
The government anticipates that creation and use of data will add £241 billion to the UK economy between 2015 and 2020.
The Bill sets out three objectives of the UK government:
- Maintaining trust and confidence of data subjects that their data will be handled securely, legally, responsibly and ethically.
- Ensuring that organisations in the UK are able to transfer data to and from countries in the EU and beyond.
- Safeguarding the UK's security and law enforcement authorities’ ability to collect, share and process personal data for national security purposes.
People will have the right to force social media companies and online traders to delete their personal data under laws to be brought forward by the government. This will enshrine the “right to be forgotten” into UK national law.
The main aim of the Bill will be to ensure that data can continue to flow freely between the UK and EU countries after Brexit, when Britain will be classed as a ‘third country’ by the EU. Under the EU’s data protection framework, personal data can only be transferred to a third country where an adequate level of protection is guaranteed by the government of that country.
Companies that do not comply with the Bill will face heavy fines – up to £17 million or 4% of global turnover, compared to the current maximum fine of £500,000.
The UK’s Information Commissioner will have its powers strengthened and extended to help it police and enforce the new data protection regime.
What are the key changes?
The Bill will:
- make it easier for people to withdraw their consent for their personal data to be used
- allow people to ask for their data to be deleted
- require firms to obtain explicit consent when they process sensitive personal data
- expand the definition of personal data to include IP addresses, biometric data and cookies
- allow people to obtain the information organisations hold on them much more freely, via subject access requests
- create new criminal offences of:
- intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data
- altering records with an intent to prevent disclosure to a data subject following a subject access request
- replace the Data Protection Act and ensure that UK laws are compliant with GDPR.
The Information Commissioner has stated: "We are pleased the government recognises the importance of data protection, its central role in increasing trust and confidence in the digital economy and the benefits the enhanced protection will bring to the public”.
Many details of the proposed Bill mirror concepts set out in the GDPR so should not be a surprise to UK businesses but the draft text of the Bill will be awaited with interest.