Today, the UK government has issued a press release announcing its statement of intent for the new UK Data Protection Bill, the UK equivalent of the EU General Data Protection Regulation (GDPR). In it, Digital Minister Matt Hancock explains how the Bill, to be implemented by May 25, 2018. will provide people with more control over their personal data and a raft of new measures to protect it better.
We've been banging the drum about GDPR since the start of 2016. However, now the mainstream media have reported details of this new “golden standard” for data protection, the reality of its impact might have finally hit home.
The Sun went with the view that “draconian EU laws on data protection” will cripple sole traders, small businesses and charities who will find it hard to abide by new marketing rules. Others, such as the Guardian and Financial Times, have focused on the benefits the UK Data Protection Bill will bring for individuals. In all instances, it is now clearer than ever why UK businesses need to assess how they collect, process and share personal data.
In the press release, Matt Hancock, Minister of State for Digital said:
“Our measures are designed to support businesses in their use of data, and give consumers the confidence that their data is protected and those who misuse it will be held to account."
The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world. The Bill will give people more control over their data, require more consent for its use, and prepare Britain for Brexit. We have some of the best data science in the world and this new law will help it to thrive."
It also outlines some of the main components of the new Bill, including how it will:
- Make it simpler to withdraw consent for the use of personal data
- Allow people to ask for their personal data held by companies to be erased
- Enable parents and guardians to give consent for their child’s data to be used
- Require ‘explicit’ consent to be necessary for processing sensitive personal data
- Expand the definition of ‘personal data’ to include IP addresses, internet cookies and DNA
- Update and strengthen data protection law to reflect the changing nature and scope of the digital economy
- Make it easier and free for individuals to require an organisation to disclose the personal data it holds on them (free Data Subject Access Requests)
- Make it easier for customers to move data between service providers
This, as many have suspected, means that the UK Data Protection Bill will align very closely with the requirements of the EU GDPR, including punitive action for non-compliance, i.e. fines of up to £17m or 4% of the global turnover.
You can read the full statement of intent here, but other key points that UK marketers may want to consider include:
- The reasons for giving consent must be “unambiguous” and easy to withdraw.
- Consent tick boxes must use a default opt-out (no pre-selected tick boxes will be allowed)
- Businesses must notify the Information Commissioner's Office (ICO) of a data breach within 72 hours of it taking place (where a breach risks the rights and freedoms of an individual)
- High risk data processing requires a risk impact assessment to be conducted first
New ICO powers
- Can issue fines – up from a maximum of £500,000 to £17m (or 4% of global turnover)
- New criminal offence for “intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data"
- New offence for “altering records with intent to prevent disclosure following a subject access request”
New data protection regimes
- A mandatory requirement for a Data Protection Officer (DPO)
- A requirement to prove that requests by someone to obtain or verify information that is held about them is "manifestly unfounded or excessive" before they are able to charge for the fulfilment of that request, or refuse altogether
- To log operations of automated processing systems and have an audit trail available
- Actions against legal infringements can be brought on behalf of individuals by a representative entity
UK specific derogations
While most of GDPR will be applicable in the UK, the government has opted to clarify and/or change some of its requirements for the UK, such as:
- Children aged 13 or over can consent to their personal data being processed (increasing from the age of 12 where equivalent laws existed)
- Some exemptions to process criminal conviction or offence data (for example employers conducting a criminal records check, organisations that need to safeguard children and vulnerable adults, and some insurance underwriters)
- Some exemptions for processing personal data by automated means (for example automatic refusal of an online credit application)
- Exemptions to protect journalists and whistle-blowers holding organisations to account, where journalistic activity is in the public interest
- Exemptions for some scientific or historical research organisation to collect personal data, where otherwise it would “seriously impair these organisations’ ability to carry out research, archiving or statistics-gathering activities”
- The creation of a framework that covers the processing of personal data for “prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.”
The General Data Protection Regulation White Paper
A Practical Guide for Businesses
- The global scope of GDPR
- Changes to consent, processing and profiling
- The new rights for data subject
- Guidelines for Data Protection Officers
- Liabilities, penalties and enforcement