A New Data Protection Bill
On the 7th August 2017, the UK government’s Minister of State for Digital, Matt Hancock MP, issued a Statement of Intent confirming that the European Union’s (EU’s) General Data Protection Regulation (GDPR), will be included within the UK’s laws after the UK leaves the EU. This will be achieved through the implementation of a new Data Protection Bill, which will repeal the Data Protection Act 1998 and include the GDPR’s legislative requirements along with some additional measures and clarifications.
The governments statement also confirmed its conclusions from the Cyber Security Regulation and Incentives Review published in December 2016, that it was important to clearly link data protection with cyber security. The government will continue to support the Cyber Essentials scheme and its accreditation process designed to provide a sound foundation of basic hygiene measures that a business should implement to provide basic protection from the most prevalent threats from the internet.
It is anticipated that the increased financial sanctions applicable for data breaches within the data protection law, and the closer working of the Information Commissioner’s Office and National Cyber Security Centre, will result in significant improvements to the management of cyber security risks.
The government points to three inter-related objectives of “maintaining trust”, “future trade” and “security”, designed to fulfil their vision of being the best, and safest, place to live and do business online. Institutions, therefore, will be required to keep data safe and secure, handle data legally responsibly and ethically, and be open and transparent about what data they are using and why. Strict penalties will apply for misuse.
There is a commitment to ensure that uninterrupted data flows continue between the UK, the EU, and other countries around the world and to maintain the ability to share and process personal data for security and law enforcement purposes.
The New Requirements
The most significant enhancements to existing data protection laws arising from the new Data Protection Bill are as follows:
Data subject rights – now include the right to be “forgotten” – personal data can be removed or deleted where there is no compelling reason for continued processing; and the right to data portability – allows individuals to obtain their data in machine readable format for easy transfer to their service providers.
Subject access requests – copies of personal data must now be provided in a reduced timescale and free of charge.
Consent – where processing of data is based upon consent, this must be explicit.
Data Protection Officer – the appointment of a Data Protection Officer is now mandatory if you are a public authority or body; you monitor data subjects on a large scale; or you process sensitive personal data on a large scale.
Data security – some enhanced data security measures may be required such as encryption and pseudonymisation. Breaches must be reported to the Information Commissioners Office.
Privacy notices – an increase in the amount of information you need to include in your privacy notices. These should be clear, concise, and intelligible.
Privacy impact assessment – if you carry out high risk processing you must carry out a privacy impact assessment.
Sanctions – a sanction regime that can issue fines of up to 4% of annual worldwide turnover or €20million, whichever is greater.