Back to top

UK government adopts GDPR in full but...

The government has introduced a new Data Protection Bill to allow the UK to fully adopt the EU General Data Protection Regulation (GDPR) ahead of Brexit with much of the emphasis on personal privacy. It will also mean businesses have to take steps to show compliance and that privacy compliance is core to holding data. One of the aims of the move is to try and provide clarity over future data protection to firms as the UK leaves the EU. “The bill will provide everyone with the confidence that their data will be managed securely and safely,” the government says. Research shows that more than 80% of people feel they do not have complete control over their data online.

Under the plans, individuals will have more control over their data by having the right to be “forgotten” and to ask for their personal data to be erased. This includes people being able to ask social media channels to delete information they posted in their childhood. And the reliance on default opt-out or pre-selected tick boxes - which are largely ignored, said the government - to give consent for organisations to collect personal data will also “become a thing of the past”.

In addition, the Information Commissioner’s Office (ICO) will be given more power to defend consumer interests and issue higher fines, of up to £17m or 4% of global turnover, in cases of the most serious data breaches.

Matt Hancock, minister of state for Digital, said: “Our measures are designed to support businesses in their use of data, and to give consumers the confidence that their data is protected and that those who misuse it will be held to account.

“The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world. The Bill will give people more control over their data, require more consent for its use, and prepare Britain for Brexit. We have some of the best data science in the world and this new law will help it to thrive.”

The Bill will require “explicit” consent to be given for processing sensitive personal data. It will also expand the definition of personal data to include IP addresses, internet cookies and DNA, and make it “easier and free” for individuals to require organisations to disclose the personal data they hold on them.

Customers will also find it easier to move data between service providers, and new criminal offences will be created to deter organisations from either intentionally or “recklessly” creating situations where someone could be identified from anonymised data. Julian David, CEO of industry organisation techUK, said: “We support the aim of a Data Protection Bill that implements GDPR in full [which had to be brought into UK law by next May], puts the UK in a strong position to secure unhindered data flows once it has left the EU, and gives businesses the clarity they need about their new obligations.”

Mark Thompson, head of privacy advisory at KPMG comments:"Today's statement of intent by the Government shows that the UK is committed to protecting the privacy of individuals’ data and the way it is processed. This commitment also sends a strong message that the UK will have resilient data protection regimes, post-Brexit. “This does however provide some challenges for business in terms of getting their houses in order, but, ultimately, this now means that privacy needs to be at the core of their business strategies.”