Details of the Data Protection Bill were revealed yesterday. The Government announced that the new laws will provide people with more control over how their personal information is used and ensure that people can withdraw consent to use their data just as easily as they can grant it.
The proposed changes are intended to help bring the UK in line with the EU’s General Data Protection Regulation (GDPR) post Brexit but to also push the UK into the forefront of data protection and online regulation.
Key changes announced include:
The scope and applicability of the proposed data protection laws, like the GDPR, is worldwide. The Information Commissioner’s Office will have powers to levy fines of up to £17m, or 4 per cent of a breaching company’s global turnover. In comparison, the current maximum fine for breaching data protection laws in the UK is £500,000, which can only demonstrate how seriously the Government wants companies to take the protection of individuals’ personal data. This could mean fines up to billions of pounds for companies like Facebook or Google.
In addition to these, new criminal offences could result in unlimited fines for tampering with personal data that has been requested by an individual or re-identifying individuals by piecing many bits of anonymised data together (e.g. IP addresses and internet cookies).
Are UK businesses ready?
Many critics fear that businesses are wholly unprepared for the new laws. Whilst it is difficult to speculate how the changes will impact upon businesses once the rules are in full force and effect, businesses can only be advised to start getting their house in order sooner rather than later. This will involve reviewing current practices, any forms completed by individuals to obtain personal information, contracts with suppliers who have access to personal information you collect and training employees.