UK Government Announces New Data Bill
In line with the upcoming General Data Protection Regulation (GDPR), Matt Hancock, Digital Minister, has announced plans for a new Data Bill set to strengthen current data protection laws in the UK. The GDPR has been making headlines across the globe in the last 18 months, but with less than 8 months until the deadline for compliance the UK government has begun the process of making the regulation UK law.
Among the noise of Brexit negotiations, some chose to believe that the GDPR may not take such an effect on UK based organizations; several months ago, it was reported that more than 40% of companies were not aware of or prepared for the GDPR coming into place. However, with the regulation set to affect all organizations that trade with or hold data regarding European Citizens, Brexit or not non-compliance is not an option.
Who, what and where?
The statement of intent published by the Department for Digital, Culture, Media & Sport on August 7th lays out an overview of the planned reforms to data protection in the new Data Protection Bill. Among many changes, one which has been heavily publicised is the increase in the fine that can be given as punishment for not complying with data laws. Previously, in the Data Protection Act (DPA), an organisation could be given a fine of up to £500,000 for a serious breach, this figure is now £17m or 4% of global revenue.
With the regulation set to come into place early next year, across Europe, each state will be charged with enforcing the new laws; The Information Commissioners Office will be responsible for this in the UK. Key changes under the new data protection bill include:
- A renewed focus on protecting personal data and the rights an individual has with regards to their personal data.
- Making it simpler to withdraw consent to the use of personal data.
- Updated definitions of key terms as previously defined in the Data Protection Act 1998, including what classifies as personal data.
- Further onus on data processors to protect individual’s rights.
- New guidelines on reporting a data breach and the timeframe to do so without incurring a monetary penalty.
While some of the changes may seem drastic, it is important to realise that the DPA is almost 20-years old and the technological advancements that have come within that time.
“The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world.” – Matt Hancock
What do you need to do?
To comply with GDPR it is important to understand which parts are likely to affect you or your organization, for example some but not all organizations will have to consider employing a person in the position of Data Protection Officer to help with compliance.
An area that all organizations will have to comply with is updating processes around consent to the use of personal data. Organizations must be given clear and ‘unambiguous’ consent and must ensure that the purpose of data collection is clear and available, processes must also be put in place to be able to track consent and for consent to be easily withdrawn by the data subject.
Due diligence must also be taken by organizations to ensure that the managed service providers and contractors they work with are not putting the organization at risk of data breach. It is stated in the regulation that ‘technical and organization measures’ must have been taken.
Do I need to hire a DPO?
A DPO’s primary focus will be to inform and advise an organization and its employees about their obligation to comply with the GDPR and other data protection laws. Including monitoring compliance with GDPR, and other data protection laws, train staff and conduct internal audits. They must report into the highest level of management and cannot perform the role if they are in an alternate role that could create a conflict of interest.
Under the regulation, organizations must appoint a DPO if they are a public authority, carry out monitoring of individuals on a large scale or process special categories of data on a large scale.
Redstor will be partnering with GDPR365, to ensure all organizations are prepared for the new Data Protection Bill and the GDPR. GDPR365 gives organizations a platform to review and organize their processes to ensure they are GDPR compliant and to provide a framework for new documentation needed under the regulation. To learn more about GDPR and GDPR365, register for daily email lessons here.
Alternatively, download the GDPR White paper.