What you need to know about proposed updates to UK data protection bill.
The UK Government recently announced its intent to install a set of sweeping updates to existing data protection law to “reflect the changing nature and scope of the digital economy”. Earlier this summer, the Australian Government made a similar pronouncement, saying it would upgrade its own data protection legislation to bring it more in line with US and EU standards.
Inside the UK Data Protection Overhaul
According to the official government announcement, the proposed changes:
- Expand the definition of ‘personal data’ to include IP addresses, internet cookies, and DNA
- Support businesses to ensure they are able to manage and secure data properly
- Give more power to the Information Commissioner’s Office, the UK’s data protection regulator, to defend consumer interests and issue higher fines – up to £17 million or 4% of global turnover – for the most serious data breaches
- Require ‘explicit’ consent to be necessary for processing sensitive personal data, ending the use of default opt-out or pre-selected ‘tick boxes’ to give consent to collect personal data
- Simplify the process to withdraw consent for the use of personal data
- Allow people to ask for personal data held by companies to be erased, and make it easier and free for individuals to require an organization to disclose the personal data it holds on them
- Enable parents and guardians to give consent for their child’s data to be used
- Make it easier for customers to move data between service providers
In the statement Matt Hancock, Minister of State for Digital, said the new standards are “designed to support businesses in their use of data, and give consumers the confidence that their data is protected and those who misuse it will be held to account.”
Julian David, CEO of techUK, an industry trade group, was also quoted in the official statement: “techUK supports the aim of a Data Protection Bill that implements GDPR [EU General Data Protection Regulation] in full, puts the UK in a strong position to secure unhindered data flows once it has left the EU, and gives businesses the clarity they need about their new obligations.”
Obligations for Business
The data protection bill has implications for businesses in the UK and beyond.
In an SC Magazine report on the proposal, Mark Thompson, head of privacy advisory at KPMG, suggested that while the new commitment ensures data resilience, it “does, however, provide some challenges for business in terms of getting their houses in order, but, ultimately, this now means that privacy needs to be at the core of their business strategies.”
Howard Ricklow, a partner at UK law firm Collyer agreed, telling The Lawyer magazine, “The Statement of Intent demonstrates the UK’s commitment to strong data protection legislation post Brexit, however it could mean that many organisations need to review their data privacy and protection policies so that they are compliant with the new laws. With the increased fines and penalties available to the Information Commissioners Office for breaches of data protection law, it is every company’s best interest to undertake this review sooner rather than later to avoid a breach when the laws come into force.”
What US Businesses Need to Know
We sat down with Mimecast cyber resilience expert Dan Sloshberg to get the skinny on what the proposal means for US organizations.
Q. Some people may say, "Why worry about this, we're US-based?"
“The GDPR and now the proposed UK Data Protection Bill could be seen as only applying to Europe. However, this is not the case. These stricter personal data controls apply to any organization that collects or holds personal data of residents in the EU or UK, including permanent residents, visitors, and expatriates. Applicability of compliance requirements is thus based on the location of the individuals about whom an organization holds personal data, not the location of the organization.”
In short: Any US-based organization wanting to do business in the UK or Europe must comply.U.S. businesses that have European divisions or subsidiaries must comply, as do those that deal directly with European residents – such as online retailer selling to someone in France or UK.
Q. Will this all change after Brexit?
“The announcement reinforces the expectation that the GDPR-style compliance is a vital requirement for UK businesses, even with Brexit pending. In fact post Brexit, demonstrating accountability around data protection may become a requirement to do business with Europe and its citizens. This also has an impact on global organizations wanting to do business in the UK and Europe and will likely pave the way for similar protection regulations being introduced and enforces by other countries as this is ultimately good news for individuals.” Learn how to create a cyber resilient GDPR strategy.
Q. What should U.S. companies do right now in response?
“It’s early days, but organizations must take action now to be ready for GDPR in May 2018 and the UK bill following Brexit completion. There is no blueprint to follow as there is no case law to refer to, however now is the time to review data collection and processing practices, as well as how quickly and easily data can be found and provided to citizens or indeed deleted on request. However, you can’t stop there. Central to these new regulations is the need to report data breaches. Organizations taking steps to best protect against a successful attack will be in a much better position to demonstrate accountability than those that don’t. Advanced email security is a critical requirement given over 90% of attacks start with an email.” Read about Mimecast’s advanced email security solutions.
For expert insight, tips, and guidance, Download Mimecast's latest E-book