The government has confirmed what those in the technology sector were told to expect – that Britain’s exit from the EU will not stop European privacy rules coming into force.
In fact, from May 2018, The General Data Protection Regulation will become effective across the UK, according to an official ‘statement of intent’ published yesterday.
But GDPR is just one of a host of measures in the Data Protection Bill, designed to ‘protect Britain in the digital age’ and update the Data Protection Act — unchanged since 1998.
‘Right to be forgotten’
The others include a ‘right to be forgotten’ heftier fines of up to £17million (or four per cent of global turnover), and an expansion of “personal data” to include cookies and IP addresses.
Business groups sound generally supportive, even though it is their members who stand to be affected by having to meet the new, stricter requirements as ‘data-controllers.’
For example, rather than the current ‘tick box’ system where consumers opt-out of services which collect their data, they will have to give their “explicit” consent to opt-in.
The CBI said: “This legislation strikes the right balance in improving standards of protection while still enabling businesses to explore new products and services.”
But with the penalty for breaching data laws due to dwarf its current maximum of £500,000, the price for non-compliance could be “fatal”.
“Businesses need to identify which data will be subject to the new [right to be forgotten] law and ensure that it can be easily accessed and deleted if needs be.
“To do this, they should map out all their data across the whole organisation, no matter where it is stored,” said IT firm Informatica.
Under the right, Britons are automatically permitted to have social media firms or platforms delete information they posted in their childhood (before they were 18 years of age).
Parents and guardians also must give consent for any use of their child’s data, and all Britons must find it easier to require an organsation to disclose the personal data it holds on them.
Providers must also make it easier for customers to move data between service providers, and face new offences in situations where a person could be identified from anonymised data.
Tech UK said it welcomed the bill and its provisions, which comes as more than 80% of people say they do not fee they have complete control over their data online.
The body said: “[We support] the aim of a Data Protection Bill that implements GDPR in full, puts the UK in a strong position to secure unhindered data flows once it has left the EU, and gives businesses the clarity they need.