New Data Protection Bill will strengthen UK data protection law
07 Aug 2017
The Government previously announced during the Queens Speech their intention to update UK data protection law via a new Data Protection Bill.
Today the Government detailed the headline changes from the forthcoming Data Protection Bill, in a statement of intent published online.
The new Bill will implement the General Data Protection Regulation (GDPR) in full and therefore smooth the Brexit transition process by aligning UK data protection law with EU data protection standards.
The key changes the Government list are:
- Make it simpler to withdraw consent for the use of personal data
- Allow people to ask for their personal data held by companies to be erased ("right to be forgotten")
- Enable parents and guardians to give consent for their child’s data to be used
- Require ‘explicit’ consent to be necessary for processing sensitive personal data, such as health data
- Expand the definition of ‘personal data’ to include IP addresses, internet cookies and DNA
- Update and strengthen data protection law to reflect the changing nature and scope of the digital economy
- Make it easier and free of charge for individuals to require an organisation to disclose the personal data it holds on them ("data subject access request")
- Make it easier for customers to move personal data between service providers ("right to data protability")
DMA members are familiar with these proposed changes as most of them originate from the GDPR.
The GDPR contained various derogations, which translates as parts of the Regulation that can be varied from country to country. For example, the age of consent for children can be set between ages 13-16.
The UK Government consulted the DMA on the derogations and has now indicated what it will do in this announcement. On the age of consent for children for personal data processing the Government believes 13 is most appropriate. The DMA supports this decision and had lobbied for it.
Furthermore, the Government intend to introduce a new legal requirement, which is an extension of the right to be forgotten in the GDPR, for social media companies. There will be a new right to require social media platforms to delete information on children and adults when asked.
Speaking about the Bill Digital Minister, Matt Hancock MP, said: “I am determined to ensure that the Bill supports innovation and although in some cases there will need to be changes to business processes, data will still be used as productively for all current uses ranging from marketing to research. There is no conflict in both enhancing citizen protections and supporting UK economic activity. It’s all about using data wisely.”
This time of reform is a watershed for data protection law and organisations should use the reforms as an opportunity to create a business culture that has data privacy at its heart.
The new Data Protection Bill is in essence all about giving consumers greater control over their personal data. Consumers are increasingly doing business with brands based on how that company treats their personal data.
In practice organisations must be responsible custodians of personal data and be accountable and transparent to consumers as to how they will use their personal information.
The robust accountability principle introduced by GDPR places emphasis on record keeping and privacy impact assessments. Organisations should be able to demonstrate their compliance with the law and always be thinking about how their behaviour could impact people’s personal privacy and their data protection rights.
Picking up on these points, DMA Director of External Affairs, Mike Lordan, said: “The Data Protection Bill will put into law much of the substance of the GDPR, which will transform the day-to-day operations of any business that works with data and comes into force in May 2018.
“This new legislation gives consumers more control over their data, which will in turn persuade businesses to act more responsibly.
“But businesses should not view these new laws as shackles inhibiting innovation, as some do, but as opportunities to better serve customers in new and exciting ways.”
The full Bill was not published today but will likely be published on one of two dates, either when Parliament returns from its summer break in early September or when Parliament returns from the conference season in early October.
If you have any concerns regarding the Bill then you can contact the Government team via email: firstname.lastname@example.org or the DMA’s External Affairs Manager, Zach Thornton, via email: Zach.Thornton@dma.org.uk