Described as “The Most Robust, Yet Dynamic, Set of Data Laws in the World”, the UK’s Data Protection Act has remained unchanged for nearly 20 years, while technology and the use of data continue to advance every day. Data is everywhere – industries are reliant on it, the use of smart technology is built around it, and we constantly share our information both willingly and unknowingly through online services and smartphone apps. Unfortunately, an increase in data also means an increase in breaches. Recent cyberattacks, such as WannaCry’s ransomware attack, and news headlines about businesses misusing consumer data, such as Google’s ‘legally inappropriate’ deal with the NHS for patients’ data, and TalkTalk’s data breach of 21,000 customers, not only expose the commonality of such misuse and scandals, but signifies an urgent need for the law to better aligned to today’s digital economy in order to protect consumers’ online vulnerability.
The EU’s incoming General Data Protection Regulation (GDPR), and the UK’s Data Protection Bill aim to do exactly that.
The GDPR is the EU’s response to modernise and harmonise existing data protection laws. As a Regulation, the GDPR is legally binding and directly effective, which means that member States are required to adhere to the legislation. A Directive on the other hand requires member States to enact their own national laws that achieve the aims of that Directive. The GDPR comes into effect on 25 May 2018, and brings with it very wide reaching implications for businesses, while also ensuring a higher level of protection and security for individuals. Most notably for businesses, the law binds all companies that handle an EU citizen’s personal data, regardless of whether they are based within the EU or not.
As the UK will still be a member of the EU in May 2018, the GDPR will directly affect our businesses and citizens so the UK will need to demonstrate compliance. However, the government recently announced the Data Protection Bill, which seeks to implement the GDPR into UK law. This will immediately offset any period of uncertainty post-Brexit and closely align our laws to the rest of Europe, while delivering what the government’s Digital Minister Matt Hancock describes as ‘the most robust, yet dynamic, set of data laws in the world’.
THE DATA PROTECTION BILL
The Data Protection Bill (DPR) grants individuals more rights and control over their personal data in many ways. The definition of personal data has also been updated and expanded to include IP addresses, DNA, and internet cookies, which store data about your web browsing. The DPB will be introduced in Parliament when it reconvenes in September, and brings with it the following key proponents:
The Right to be Forgotten This right grants individuals over 18 years old more control than the GDPR over what data they wish to remove from the internet or from a company’s database. Previously, individuals only had control over removing their search history from web browsers; however, the DPB grants them the right to remove, for example, all embarrassing or outdated social media posts.
Data Access Individuals can request to receive their personal data that is stored by an organisation, and this must be received within a fixed amount of time. Companies will need to ensure that they are aware of how and where they store data, and how to access it if needed, as such a request can prove difficult if mass data is stored in the cloud, for example.
Data Portability Individuals will have the right to request that their data is transferred between service providers. Businesses therefore need to ensure that they not only know where an individual’s data is stored, but also ensure that it is all transferable if requested.
Consent Subject to criminal justice exceptions, individuals can withdraw consent for their personal data to be used or processed. The most common example is through the use of the tick-boxes that are found at the end of forms, which will now need to explicitly state for what purpose data will be used, thereby making it a more transparent choice for the individual. Moreover, parents and guardians will need to explicitly consent to their child’s data being used, and children aged 13 or over are able to make this choice for themselves. This latter aspect differs from the GDPR age requirement of 16 years old.
Data Breach The fine for breaching the existing Data Protection Act 1998 is £500,000. Under the DPB, the fine increases substantially to either up to 4% of a company’s global turnover or £17 million – whichever is larger. A fine can be imposed if any part of the DPB is breached, not just if personal data is leaked, so businesses will need to ensure that they are compliant.
The way in which personal data is used and stored continues to change significantly, and the GDPR and the DPB rightly places a higher value on an individuals’ rights, while also embracing the changes. Compliance with the GDPR and the DPB also benefits businesses as they will have the chance to appear to be more trustworthy and consumer-friendly, while avoiding the risk of paying substantial fines and enduring subsequent reputation damage.