10/08/2017

NEW DATA PROTECTION BILL WILL INTRODUCE ‘RIGHT TO BE FORGOTTEN’ (UK)

Measures to give people greater control over their personal data and place new restrictions on the ways in which businesses and social media harvest, manage  and exploit it will be introduced in a new Data Protection Bill designed to bring post-Brexit Britain into line with the EU’s general data protection regulation (GDPR).

This additional control includes the ‘right of erasure’ – also termed the ‘right to be forgotten – which enables individuals to request their personal data be deleted or removed where there is no compelling reason for its continuing presence.

Businesses will also no longer be able to rely on devices such as default opt-outs or pre-selected tick boxes to gather reams of valuable personal information.

Other measures set out in ‘General Data Protection Regulation: Call for Views’ will

  • make it simpler to withdraw consent for the use of personal data
  • enable parents and guardians to give consent for their child’s data to be used
  • require ‘explicit’ consent to be necessary for processing sensitive personal data
  • expand the definition of ‘personal data’ to include IP addresses, internet cookies and DNA
  • update and strengthen data protection law to reflect the changing nature and scope of the digital economy
  • make it easier and free for individuals to require an organisation to disclose the personal data it holds on them
  • make it easier for customers to move data between service providers

New criminal offences will be created to deter organisations from creating situations where someone could be identified from data, even though it does not include their names.

The Information Commissioner’s Office will also be given greater powers to defend consumer interests, including the power to issue fines of up to £17m or 4% of global turnover in the most serious data breaches.

Amended data protection rules will clarify that those who handle data are accountable for the data they process. Organisations carrying out high risk data processing will be required to carry out risk assessments to ensure they understand the risks involved.

While the Bill has been broadly welcomed by consumer and business representatives, dissenting voices include the Times leader writer who regards it as a missed opportunity –  “As it stands, the bill will do little more than meld into UK law a set of European Union regulations which, while welcome as far as they go, do not go anything like far enough.”