UK Writes GDPR into Law with New Data Protection Bill

[Exterminator]

The pressure is now on for UK organizations to comply with the EU’s General Data Protection Regulation (GDPR) after the government announced its intention to write the legislation officially into law in the form of a new Data Protection Bill.

The proposed bill will upgrade the UK’s privacy laws for the digital age, providing consumers with sweeping new rights while mandating strict requirements on businesses which handle their data.

Organizations will: have to ask customers to opt-in for them to collect and use their personal data; be required to notify to the ICO within 72 hours of a 'serious' data breach; and face strict penalties for non-compliance of up to 4% of global annual turnover or £17 million, whichever is higher.

“Our measures are designed to support businesses in their use of data and give consumers the confidence that their data is protected and those who misuse it will be help to account,” said digital minister Matt Hancock, in a statement.

New consumer rights enshrined in the legislation include the right to be forgotten and the right to data portability, which will make it easier for netizens to request companies erase personal data on them and to transfer data between providers, respectively.

Julian David, CEO of industry body techUK, welcomed the proposed legislation as building “a culture of trust and confidence” in the UK which will help encourage “data-driven innovation”.

“techUK supports the aim of a Data Protection Bill that implements GDPR in full, puts the UK in a strong position to secure unhindered data flows once it has left the EU, and gives businesses the clarity they need about their new obligations,” he added.

UKFast CEO, Lawrence Jones, also welcomed the new proposals.

“We have been able to win significant amounts of business from our giant American competitors simply because we are held to higher standards on data regulation than the US, and people trust that standard,” he explained.

“We will be doing everything we can to lobby the government and guarantee that our new standards are at least equal to the incoming EU regulation.”

However, there are still question marks about whether data will be able to flow unhindered between the UK and EU post-Brexit, given the mass surveillance powers granted to the UK authorities in the Investigatory Powers Act.

Some experts have suggested that there aren’t enough safeguards in place as yet for EU bodies to be comfortable having European citizens’ data stored in the UK, where it may be subject to snooping from the police or security services.

Top10VPN head of research, Simon Migliano, hinted at such concerns, arguing that consumers shouldn’t rely on the government to look after their digital rights and data.

“It feels hypocritical for the government to be trumpeting these new data protection measures while at the same time being responsible for the Investigatory Powers Act, or Snoopers' Charter, that runs completely contrary to these proposals,” he argued.

“Will the government have to ask ‘explicit’ permission to harvest your data? Will you be able to ask them to view or delete the data the Government holds on you? I doubt it.”

That said, organizations will still need to comply with the new legislation, when the GDPR comes into force on 25 May 2018.

RSA Security’s field CTO EMEA, Rashmi Knowles, warned that the new rules broaden the scope on what constitutes “personal data”, and that there’s a long road ahead for compliance, even for those organizations already governed by the UK’s Data Protection Act.

“The biggest challenge is going to be process; particularly around issues such as data availability and consent,” she added.

“This is not an annual audit that companies need to comply with, the audit can come at any time so businesses need to be focused on continuous compliance, which is a huge task – technology alone is not the answer. For anyone who was in doubt that GDPR will impact them come May 2018, this move by the government is a clear indication that it will – regardless of Brexit.”

 

[Arequire]

A win for those of us living in the UK even if I don't agree with the "right to be forgotten" directive that comes with it.

 

[tryfon]

Seems like the right way forward for the UK- grats to all of our UK members!

 

[Weebarra]

Good news from our government for once. I have no doubts that the option to "opt out" will not be in easy to find place when online, lol.

 

[Fritz]

They're incorporating EU law in Room A while discussing Brexit in Room B?

At least GCHQ gets to siphon off all the data themselves now without having to share the loot with others.
I can almost hear them giggle while it's being signed.

 

[Arequire]

At least GCHQ gets to siphon off all the data themselves now without having to share the loot with others.

I doubt it. The rest of the EU relies heavily on the UK when it comes to intelligence gathering/sharing and it's something I've no doubt will be included in Brexit negotiations.
I'd wager there'll be a deal struck for the UK to continue contributing to Europol and intelligence sharing with other EU jurisdictions, especially with British intelligence agencies lack of regulation and carte blanche approach to data collection.

 

[Fritz]

@Arequire I wasn't referring to GCHQ's collaboration with other intelligence agencies. Of course they share everything without a second thought. That's not an EU thing.

I meant that businesses are now called to privacy standards while your typical letter agencies still do whatever they want anyways. Great privacy law. It's just like the government doling out goodies when all they ever did was take them out of your left pocket before putting them in your right one—and have themselves celebrated for it.

 

[Arequire]

I meant that businesses are now called to privacy standards while your typical letter agencies still do whatever they want anyways. Great privacy law. It's just like the government doling out goodies when all they ever did was take them out of your left pocket before putting them in your right one—and have themselves celebrated for it.

Oh definitely. It's hilarious how hypocritical the whole situation is. The sadly ironic part is those three letter agencies pose a far greater risk to our data as individuals than any business entity does.