The Department for Media, Culture and Sport (DCMS) has published a statement of intent to overhaul the UK Data Protection laws. The move will also remove the ongoing confusion in some quarters over adoption of the EU GDPR. The move will substantially strengthen UK data protection laws and increase the current laughable penalties for breaches of the law.
According to Matt Hancock, Minister of State for Digital: “Our measures are designed to support businesses in their use of data, and give consumers the confidence that their data is protected and those who misuse it will be held to account.
“The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world. The Bill will give people more control over their data, require more consent for its use, and prepare Britain for Brexit. We have some of the best data science in the world and this new law will help it to thrive.”
What is the goal of this latest legislation?
The first goal is to ensure that irrespective of what happens with Brexit, the EU GDPR is fully enshrined in UK law. Up to now, there has been confusion with some organisations believing that Brexit will mean no GDPR for the UK. That was always a false premise as GDPR comes into force next year before the UK leaves the EU. What it should do is now act as a spur to all those companies who were holding on and hoping to not invest the time and money in becoming GDPR compliant.
A second piece of EU legislation also comes into force at the same time as GDPR but has had little coverage. The Data Protection Law Enforcement Directive (DPLED) deals with how the police and criminal justice sector deal with personal data. This move by the DCMS will also ensure that that is also enshrined in UK law. This will allow the UK to continue to share data with other EU law enforcement agencies.
What does the statement of intent cover?
The statement of intent lays out how UK Data Protection law will now change. Ensuring that GDPR is aligned to UK law means that the severe penalties it brings in can be applied to UK-based companies. Those penalties will now see a maximum of £17 million or 4% of global turnover. This will hopefully force large organisations to carry out a better cost and risk analysis on how they protect data. The current maximum fine of £500,000 is derisory given some of the breaches.
UK citizens will also have the right to have any social media content posted when they were children removed from the Internet. There is also a hope that it will end some of the more invasive press stories from the last few years.
One of these concerns the Youth Police Commissioner for Kent. Social media posts she made as a teenager were used by the UK press to vilify her and force her out of office. Under this new law that data would not be available or usable.
Other measures include:
- Make it simpler to withdraw consent for the use of personal data
- Allow people to ask for their personal data held by companies to be erased
- Enable parents and guardians to give consent for their child’s data to be used
- Require ‘explicit’ consent to be necessary for processing sensitive personal data
- Expand the definition of ‘personal data’ to include IP addresses, internet cookies and DNA
- Update and strengthen data protection law to reflect the changing nature and scope of the digital economy
- Make it easier and free for individuals to require an organisation to disclose the personal data it holds on them
- Make it easier for customers to move data between service providers
A tougher data regulator
The DCMS says it wants to toughen the role of the UK Information Commissioner. This is good news. The UK is not seen as the weakest in Europe but it is far from the strongest. The measures outlines in the Statement of Intent will provide for increased fines and penalties.
The will be new criminal offences to provide teeth for the ICO. Serious offences will be recorded on the Police National Computer. This creates a problem for companies and individuals. Roles such as coaching, teaching and some other professions require a criminal records check. This new law means if they’ve been convicted of serious data protection offences they will have to disclose that. Companies will also have to do the same if asked by a supplier or customer as part of due diligence before any data sharing takes place.
There are three new offences:
- Create a new offence of intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data. Offenders who knowingly handle or process such data will also be guilty of an offence. The maximum penalty would be an unlimited fine.
- Create a new offence of altering records with intent to prevent disclosure following a subject access request. The offence would use section 77 of the Freedom of Information Act 2000 as a template. The scope of the offence would apply not only to public authorities, but to all data controllers and processors. The maximum penalty would be an unlimited fine in England and Wales or a Level 5 fine in Scotland and Northern Ireland.
- Widen the existing offence of unlawfully obtaining data to capture people who retain data against the wishes of the controller (even if the they initially obtained it lawfully).
Importantly, the new law will also give stronger protection to journalists and whistleblowers.
Forcing companies to do better
It is a worrying fact that far too many organisations do not have a Data Protection Officer (DPO). Individuals can often face severe problems trying to identify who is responsible for protecting an organisation’s data. This is particularly relevant when an individual wants a company to delete data pertaining to the. This new law is designed to crack down and make a DPO a mandatory role. It will also bring in better controls of data management and transfer.
Four ‘things’ to be introduced, according to the statement of intent are:
- A requirement for a mandatory Data Protection Officer (DPO). This is a new role and will advise data controllers on data issues, handle complaints and ensure compliance with the Data Protection Law Enforcement Directive.
- A requirement on data controllers to prove that requests by someone to obtain or verify information that is held about them is ‘manifestly unfounded or excessive before they are able to charge for the fulfilment of that request, or refuse altogether.
- A more prescriptive logging requirement applied to specific operations of automated processing systems including collection, alteration, consultation, disclosure, combination and erasure of data, so a full audit trail will be available.
- Clarity on the ability for international transfers to take place in a variety of circumstances, so critical data sharing can take place.
There is no mention of how this will be enforced across organisations of different sizes. It may be part of a crackdown by the ICO office to make sure that organisations are behaving. It will also require a proper media campaign to ensure that SMEs, who make up over 95% of UK businesses, are aware of this.
Initial industry reaction
There has been limited initial reaction as organisations read and assess the documents. What reaction there has been is positive.
Tom Thackray, CBI Innovation Director, said: “In the modern economy, data has huge value and its innovative use leads to better services and more productive businesses. But firms know that this ability to innovate is dependent on customers having confidence that their information is well protected. This legislation strikes the right balance in improving standards of protection while still enabling businesses to explore new products and services.”
What does all of this mean?
At first glance it is a long overdue and very welcome move to tighten data protection in the UK. Importantly it deals with the nonsense that keeps popping up in business forums around GDPR. There is a body of organisations and companies that think Brexit means GDPR can be ignored. This move puts that misinformation and stupidity to rest.
The move to substantially tighten up the right to privacy will force a lot of businesses to rethink their data grab approaches. They will now have to create and prove that they can remove personal data from their systems. This is not a simple process and the law will not put the costs on the individual. Allowing people to remove social media posts they made as children is equally important. It will stop potential employers trying to see what they may have said when younger.
The new powers for the ICO and the new criminal offenses are also important steps. There is likely to be some kickback about putting individuals and companies on the PNC. However, there are good reasons for this. One is to help companies decide who they will and won’t partner with. No company wants to work with someone who has a record of allowing data breaches. It will be interesting to see how that works in practice.
The statement of intent makes for interesting reading as do the other documents released by the DCMS. Legal teams, DPOs, CIOs and other responsible for IT and data inside organisations need to sit down and read them today.