The UK government has recently announced the new Data Protection Bill, which is designed to replace the current, out-dated, Data Protection Act (DPA). The new bill was published on 14 September 2017, although it has not been specified when it will officially come into effect.
What is the reason for the new Data Protection Bill?
As of 25 May 2018, the EU GDPR (General Data Protection Regulation) will come into force. Since the UK has voted to leave the European Union, our current data protection laws must be updated to reflect those of the GDPR, in order to ensure that there are no disruptions to the way data is transferred between Britain and the rest of Europe. However, certain updates, such as the way social media companies store personal data belonging to those under the age of 18, have been added on.
How does the new Data Protection Bill differ from the existing DPA?
Included in the new bill are the following updates/improvements:
Right to be forgotten
The “right to be forgotten” is designed to give individuals more control over how their information is stored and removed. While the “right to be forgotten” is already included in the forthcoming GDPR, the Data Protection Bill has extended the law by requiring social media companies to delete any information that was posted by an individual when they were under the age of 18, should the individual choose to make such a request. This may prove a challenge for some organisations whose data archives are stored in a manner that is difficult to search and sort.
Due to concerns that companies are using browsing records to target individuals, the definition of personal data will be updated to reflect news types of data that were not covered by the DPA. These new types of personal data include; IP addresses, cookies and DNA.
It is often the case where companies use automated “profiling” of data relating to a person’s health, personal preferences, financial status, behaviour etc. Under the new law, individuals can demand that such profiling is performed by a person, and not by an algorithm.
The new Data Protection Bill will make it easier for individuals to move data between companies (i.e. move photos between cloud storage companies).
New fines and criminal offences
As with the GDPR, the penalties associated with non-compliance will be significantly bolstered under the new bill. Fines of up to £17m, or 4 per cent of a company’s global turnover, may be issued should a company fail to comply. This is a significant increase from the maximum fine of £500,000 associated with the DPA. As you can imagine, companies like Facebook and Google could face potential fines that amount to billions of pounds. There are also two new criminal offences outlined by the Data Protection Bill: The first relates to the re-identification of people from anonymous data. This would involve piecing together bits of anonymous data in an attempt to identify a particular users behaviour. The second offense relates to the tampering of personal data in some way. The fines for breaching these laws are potentially unlimited.
Complying with these new regulations may pose a significant challenge to many organisations; however, there are solutions available that can help to ease the burden. For example, LepideAuditor enables you to keep track of your sensitive data by helping you determine who has access to what data, when the data is being accessed and where the data is located. It also enables you to generate various custom reports and alerts which can be used to satisfy regulatory requirements.