UK Government release Data Protection Bill
As European nations prepare for the European Union General Data Protection Regulation (GDPR) coming into legislation on May 25th, 2018, the UK government is taking similar steps to implement their own data protection laws for a post-Brexit Britain. This month the UK government have released the Data Protection Bill which is designed to implement the same principles as the EU GDPR.
The 200 plus pages of legislation, which could be brought into law if approved, comes with the government’s assurances as to its quality: ‘We are strengthening Britain’s data rules to make them fit for the digital age in which we live, and that means giving people more control over their own data,‘ claims Minister of State for Digital, Matt Hancock, of the bill. ‘There are circumstances where the processing of data is vital for our economy, our democracy and to protect us against illegality. Today, as we publish the Data Protection Bill, I am offering assurances to both the public and private sector that we are protecting this important work.‘
Those protections come in the form of a range of exemptions, many of which are carried over from the existing Data Protection Act (DPA): The processing of personal information by journalists for the purposes of freedom of expression and to expose wrongdoings is explicitly protected, scientific and historical research organisations gain exemptions from ‘certain obligations which would impair their core functions,’ national bodies working to fight doping in sport are granted certain rights, while data processing on suspicion of the financing of terrorism or money laundering is also exempted.
These exemptions and the additional safeguards implemented in the bill have been welcomed by privacy rights campaign organisation the Open Rights Group (ORG), but it warns that its own activities – allowed under the GDPR – may be under threat. ‘The UK has neglected an important option in the General Data Protection Regulation which gives consumer privacy groups like Open Rights Group the ability to lodge independent data protection complaints,‘ claims ORG executive director, Jim Killock. ‘It is almost impossible for the average person to know how their data is being collected, shared and sold by social media platforms, advertisers and other businesses. We may not know which companies hold data about us. Privacy groups can, therefore, play an important role in protecting consumers by taking independent action against companies that fail to protect our data protection rights. Open Rights Group wants to be able to campaign on behalf of people who are afraid of complaining or do not realise that they have been affected.‘
The bill includes an increase in the maximum penalty the Information Commissioner’s Office (ICO) can levy against a company found to have breached data protection legislation, up from the previous maximum of £500,000 to £18,000,000, bringing the fines in line with those allowed for in EU GDPR.
What does this mean for UK SME’s and larger organisations
The arrival of the revamped Data Protection Bill comes as no surprise to experts. The issue of data protection has been an issue for all nations, and Brexit has put increased pressure on the government to deliver legislation that would have the reach and effectiveness of GDPR.
It is also important to remember that for organisations that are based in the UK but operate in the European Union, GDPR can still apply to your business. If you suffer a breach that results in loss of data of an EU citizen, then the fines and penalties can be applied to your business.
The key to compliance to GDPR will be the same for the Data Protection Bill. Your organisation will need to demonstrate compliance by implementing best practices to not only protect data from breaches but also implementing procedures to ensure you are managing and using the data correctly in line with the Data Protection regulations.
ISO 27001:2013 Information Security Management System provides a framework for organisations to implement a system to not only minimise the risk of security breaches both internally and externally but provide transparency in how you are managing your clients’ and shareholders’ data.
The legislation is still under review, and on October 10th the House of Lords will conduct a second reading of the bill which will allow peers to discuss the legislation.