The new UK Data Protection Bill, published today, will come into force next May. As part of the multi-million pound National Cyber Security Strategy, the new legislation will effectively bring the European Union’s General Data Protection Regulation (GDPR) into UK law, helping Britain to prepare for a successful Brexit. The new legislation will come into effect in May 2018, coinciding with the enactment of the GDPR in Europe.
Minister for Digital Matt Hancock says: ‘As the UK leaves the EU we will ensure we have one of the most robust systems for protection of intellectual property anywhere in the world, for all civilised societies are based on the fair and equal protection of property rights.’
He adds: ‘Our task is to strike the right balance between freedoms and responsibilities online, such that the solutions can be applied globally, and the whole free world can emulate our approach. That is our plan.’
The drive behind the bill is to protect the online data of people and businesses. According to Mr Hancock: ‘We must build an internet based on liberal and not libertarian values, where we cherish freedom yet prevent harm to others’.
The bill contains steps to clamp down on cyber-bullying and child protection as well as protecting individuals’ and companies’ data online.
The key provisions also include:
- Providing a simpler process for individuals to withdraw consent for their personal data to be used;
- Giving individuals the right to request that their personal data is deleted;
- Allowing for the re-identification of people from anonymised or pseudonymised data if a criminal offence is suspected.
The last point refers to one significant difference between the UK Data Protection Bill and the European legislation where some ‘vital’ exemptions have been made in cases where public interest is served. This includes areas relating to ‘freedom of expression’ where journalists access personal data to expose wrongdoing. They will also be allowed to preserve the anonymity of their sources and to access personal data without consent if it is deemed to be in the public interest.
In addition, the new Data Protection Bill allows anti-doping agencies to access personal data when pursuing suspected drug cheats or, in the case of financial services companies, where there are suspicions of terrorist financing or money laundering. But to safeguard the innocent, new criminal will be created to deter organisations form either intentionally or recklessly creating situations where someone could be identified from anonymised data.
While the Data Protection Bill will become law for all UK organisations, the GDPR will be a legal requirement of any organisation handling any data relating to EU citizens, which in today’s online world is almost everybody. Thankfully the overlap between the two is total in the areas relating to the handling of personal data in the business context. The financial penalties in the event of data breaches or non-compliance are equally severe, equating to fines of up to £17m or 4 per cent of global turnover.
The important fact to consider is that May 2018 is not far away so the process of integrating the new data protection laws should be well underway. If looking for strategic and practical input in developing up to date data protection policies, SRM’s team includes GCHQ approved GDPR practitioners who have the expertise to work with clients to build robust and cost-effective defences.