UK to Strengthen Its Data Protection Law
By Paul Sutton, Head of Legal Advisory Group, Radius
A proposed new data protection law will strengthen information privacy rules in the UK and bring the country in line with EU law, ensuring the free flow of information between Europe and the UK post-Brexit.
The proposed new law updates the UK’s Data Protection Act, which has not changed since 1998, when internet use was in its infancy and social media didn’t exist. It allows citizens to withdraw consent for companies to use their personal data and to request deletion of any information they posted before the age of 18, imposing substantial fines for companies that refuse without good reason.
“The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world,” said the UK’s Digital Minister Mark Hancock. It will “give consumers the confidence that their data is protected and those who misuse it will be held to account.”
The country hopes to pass the bill well in advance of May 25, 2018, when the EU’s General Data Protection Regulation (GDPR), which contains many of the same provisions, becomes effective. Under EU law, personal data can only be transferred to a third country where an adequate level of protection is guaranteed.
How It Works
Here are some of the main things the proposed new UK law does:
- Allows people to ask companies doing business in the UK to erase their personal data. In most cases, companies will have to comply, though the law provides exceptions for freedom of expression or matters of scientific or historical importance. This provision, also included in the GDPR, is separate from the existing "right to be forgotten," law, which allows people to delete personal information from search engines.
- Allows people to ask social media channels or other companies to delete any information posted before they were 18 years of age. This was one of Prime Minister Theresa May’s campaign promises.
- Changes the personal information default on websites from “opt out” to “opt in.” Many company websites automatically add customer information to marketing lists and pass it to third parties unless customers check a box to opt out. The new law requires customers to opt in instead, and requires companies to inform them that their information will be shared with marketers.
- Expands the definition of personal data to include IP addresses (which identify a user’s specific device), internet cookies (which provide information about browsing history), and DNA. This provision attempts to address a growing concern about criminals stalking their victims on the internet. Research shows that more than 80 percent of people feel they do not have complete control over their data online, the proposed bill says.
- Makes it easier for individuals to obtain personal data held by companies.
- Makes it a criminal offense to re-identify people from anonymized data.
- Allows people to request that a human be involved when a company creates a profile. Currently, many companies use algorithms to create profiles of job candidates or insurance applicants.
- Makes it easier for customers to move data between service providers. For example, customers will be able to easily move photos between cloud storage providers.
For the most serious violations, the proposed law can impose fines of up to the greater of £17 million ($22 million) or 4 percent of global revenue. The current maximum fine for breaking data protection laws is £500,000 ($650,000). The UK's Information Commissioner will be tasked with policing the new regime.
Companies that handle sensitive customer information will be required to conduct an impact assessment specifying the risks involved.
Preparing for the New Law
Companies doing business in the UK should familiarize themselves with the proposed law and make sure they can easily gather customers’ personal data.
If preparation for the GDPR is any indication, many will lag behind. A recent study found that just 43 percent of UK’s IT professionals had assessed the GDPR's impact on their company or changed their practices to stay in alignment. Nearly a third said they were making no preparations to do so.
Small companies could have trouble deciphering the new law and figuring how to apply it. "They simply aren't aware of what they will need to do, which creates a real risk of companies inadvertently facing fines," Mike Cherry, national chairman at the Federation of Small Businesses, told the BBC.
The UK government provides several documents and checklists designed to help businesses prepare for the GDPR. They apply to the new UK law as well.