The pressure is now on for UK organizations to comply with the EU’s General Data Protection Regulation (GDPR) after the government announced its intention to write the legislation officially into law in the form of a new Data Protection Bill.
The proposed bill will upgrade the UK’s privacy laws for the digital age, providing consumers with sweeping new rights while mandating strict requirements on businesses which handle their data.
Organizations will: have to ask customers to opt-in for them to collect and use their personal data; be required to notify to the ICO within 72 hours of a 'serious' data breach; and face strict penalties for non-compliance of up to 4% of global annual turnover or £17 million, whichever is higher.
“Our measures are designed to support businesses in their use of data and give consumers the confidence that their data is protected and those who misuse it will be help to account,” said digital minister Matt Hancock, in a statement.
New consumer rights enshrined in the legislation include the right to be forgotten and the right to data portability, which will make it easier for netizens to request companies erase personal data on them and to transfer data between providers, respectively.
Julian David, CEO of industry body techUK, welcomed the proposed legislation as building “a culture of trust and confidence” in the UK which will help encourage “data-driven innovation”.
“techUK supports the aim of a Data Protection Bill that implements GDPR in full, puts the UK in a strong position to secure unhindered data flows once it has left the EU, and gives businesses the clarity they need about their new obligations,” he added.
UKFast CEO, Lawrence Jones, also welcomed the new proposals.
“We have been able to win significant amounts of business from our giant American competitors simply because we are held to higher standards on data regulation than the US, and people trust that standard,” he explained.
“We will be doing everything we can to lobby the government and guarantee that our new standards are at least equal to the incoming EU regulation.”
However, there are still question marks about whether data will be able to flow unhindered between the UK and EU post-Brexit, given the mass surveillance powers granted to the UK authorities in the Investigatory Powers Act.
Some experts have suggested that there aren’t enough safeguards in place as yet for EU bodies to be comfortable having European citizens’ data stored in the UK, where it may be subject to snooping from the police or security services.
Top10VPN head of research, Simon Migliano, hinted at such concerns, arguing that consumers shouldn’t rely on the government to look after their digital rights and data.
“It feels hypocritical for the government to be trumpeting these new data protection measures while at the same time being responsible for the Investigatory Powers Act, or Snoopers' Charter, that runs completely contrary to these proposals,” he argued.
“Will the government have to ask ‘explicit’ permission to harvest your data? Will you be able to ask them to view or delete the data the Government holds on you? I doubt it.”
That said, organizations will still need to comply with the new legislation, when the GDPR comes into force on 25 May 2018.
RSA Security’s field CTO EMEA, Rashmi Knowles, warned that the new rules broaden the scope on what constitutes “personal data”, and that there’s a long road ahead for compliance, even for those organizations already governed by the UK’s Data Protection Act.
“The biggest challenge is going to be process; particularly around issues such as data availability and consent,” she added.
“This is not an annual audit that companies need to comply with, the audit can come at any time so businesses need to be focused on continuous compliance, which is a huge task – technology alone is not the answer. For anyone who was in doubt that GDPR will impact them come May 2018, this move by the government is a clear indication that it will – regardless of Brexit.”