The UK’s Data Protection Bill, which was announced in last month’s Queen’s Speech, could be introduced in Parliament in just a few weeks—though it could be months before it becomes law.
The UK legislation is expected in September, according to the UK’s Department of Digital, Culture, Media & Sport (DCMS), which confirmed to security researcher and training specialist Chris Pounder that “we're aiming to introduce the Bill as soon as we can once the houses are back from summer recess.”
The Queen’s Speech said that the bill is meant to ensure that the UK “retains its world-class regime protecting personal data.” Further analysis from global law firm Reed Smith added that the goal is a “data protection framework that is suitable for our new digital age, and to cement the UK’s position at the forefront of technological innovation, international data sharing and protection of personal data.”
To that end, the Data Protection Bill will replace the Data Protection Act 1998, and will incorporate the GDPR into national UK law—meaning that even post-Brexit, businesses will need to comply with the same EU rules for UK citizens. The GDPR goes into effect on May 25 of next year, and will give EU regulators the power to levy punitive damages as high a €20m (or 4% of global turnover, whichever is greater) to organizations anywhere in the world who fail to adhere to a series of requirements when it comes to securing the data of EU citizens.
The ramifications extend far beyond fines for individual companies, according to Jon Baines, chair at the National Association of Data Protection and Freedom of Information Officers.
“When the UK leaves the EU under Brexit, and if we don't remain a member of the EEA, we will become a 'third country' for the purposes of GDPR, and we will need to have adequate domestic data protection law in place to enable the free flow of personal data between us and the EU,” he told Infosecurity. “If the European Commission decides that this new UK data protection law is inadequate, it will make these cross-border transfers of personal data very tricky, which would have the potential to adversely affect trade deals, and drive up costs for business and consumers, as well as potentially hindering cooperation in criminal justice and national security matters.”
This is something which the data protection community is well aware of, he noted—the Lords' EU Home Affairs Sub-committee recently warned about the issue.
As background, the GDPR will require a number of things, including:
• All breaches must be reported to regulators within 72-hours of the organization becoming aware of it
• The regulator must also be informed of “effective, proportionate and dissuasive” measures taken/proposed to address the breach and/or mitigate its effects
• If the breach is sufficiently serious to warrant notification to affected customers, the organization responsible must do so without undue delay
The UK bill is also expected to modernize and update data processing operations used by law enforcement agencies, including domestic and cross-border personal data handling, and will have a slew of protections for individuals, such as the right to be forgotten and the deletion of social media information when children turn 18.
Additionally, the legislation will update the powers and sanctions available to the Information Commissioner’s Office, according to Reed Smith.
The fact that the bill will be introduced in September doesn’t however mean that the bill will become law anytime soon.
“One thing is certain - this is going to be a complex piece of legislation, which will almost certainly take a number of months,” Baines said. “I understand the government is aiming for the bill to become enacted by March. No specific criticism is being levelled against the government when I say this leaves organizations aiming to comply with all of GDPR and the Law Enforcement Directive by next May with very little time to understand what will be coming, and to fully prepare for it.”
In a recent survey, two-thirds (65%) of UK IT pros said they’re in favor of the sweeping new data protection regulation, versus 59% in the rest of the EU and just 37% in the US. Nonetheless, only 40% have started compliance efforts, and 15% of UK IT pros said they have no plans to prepare for the GDPR in the next 12 months at all.