UK draws up fresh data protection measures for Brexit

A new Data Protection Bill will enshrine GDPR principles into UK law


The government today published plans to overhaul the UK's data protection regulations, in order to align UK law with corresponding measures being introduced by the European Union.

Part of the proposals will see the introduction of the "right to be forgotten", allowing UK citizens to request that companies delete their personal data from any records, as well as demanding social media sites to delete data they posted as children - something the EU is not implementing.

The Information Commissioner's Office (ICO), the UK's data protection watchdog, will also be able to hand down tougher fines against firms that mishandle personal data.

Firms which are found to be in breach of the new data protection bill will face fines of up to 17 million, or 4% of global turnover, whichever is highest. That's up from the current 500,000 cap imposed by the Data Protection Act 1998.

Advertisement - Article continues below
Advertisement - Article continues below

The Data Protection Bill will replace the current Data Protection Act that came into force in 1998, and which is considered inadequate for dealing with modern data processing.

Digital minister Matt Hancock, who was responsible for drafting today's proposals, described the new Data Protection Bill as "one of the most robust, yet dynamic, set of data laws in the world".

"It will give people more control over their data, require more consent for its use, and prepare Britain for Brexit," he added in a statement.

Information commissioner Elizabeth Denham said: "We are pleased the government recognises the importance of data protection and its central role in increasing trust and confidence in the digital economy and the benefits the enhanced protections will bring to the public."

The bill mirrors proposals set out under the EU's upcoming General Data Protection Regulation(GDPR), which will apply automatically in the UK on 25 May 2018, as it will in all EU member states. However, once Brexit completes, GDPR will no longer apply to the UK, meaning it must draw up its own laws. Today's Statement of Intent is the first step in doing so.

GDPR measures include making data more portable, so it can be moved easily between providers, and ensuring companies are forced to immediately disclose details of a security breach if it involved the leak of personal data. It will include similar tough fines, of up to 20 million, and will hand EU citizens the right to be forgotten, as well as force organisations to gain clear opt-in consent to use and process people's personal information.

Advertisement - Article continues below

By enshrining like-for-like regulations into UK law, it is likely that the UK will be 'whitelisted' by the EU, allowing UK and EU businesses to move data through both areas without interruption.

"Bringing EU law into our domestic law will ensure that we help to prepare the UK for the future after we have left the EU," said Hancock. "We are committed to ensuring that uninterrupted data flows continue between the UK and the EU and other countries around the world."

The bill aims to make it far easier for citizens to prevent companies from using their personal data without their consent, and, similar to GDPR, any companies seeking to collect information will soon be required to obtain "explicit" consent to process that data.

The scope of what constitutes personal data will also be expanded to include IP addresses, DNA and internet cookies.

Advertisement - Article continues below

Tom Thackray, innovation director at CBI, welcomed the proposals, saying they "strike the right balance in improving standards of protection while still enabling businesses to explore new products and services".

"In the modern economy, data has huge value and its innovative use leads to better services and more productive businesses. But firms know that this ability to innovate is dependent on customers having confidence that their information is well protected," added Thackray.

Advertisement - Article continues below

Javier Ruiz,policy director at digital rights campaign organisation Open Rights Group, welcomed the move to enshrine GDPR legislation into UK law, saying: "It will strengthen everyone's ability to control what data can be collected about them and how it can be used."

But he added: "These laws could be fundamentally altered after Brexit. The government must explain how these data protection rights will be guaranteed after the UK has left the EU.We are disappointed that UK ministers are not taking up the option in EU law to allow consumer privacy groups to lodge independent data protection complaints as they can currently do under consumer rights laws."

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now


chief information officer (CIO)

CIOs are taking their seat at the boardroom table

17 Jan 2020

UK tech investment jumps 44%, despite Brexit uncertainty

15 Jan 2020
Business strategy

CIO job description: What does a CIO do?

7 Jan 2020
data management

EU-US data transfer tools used by Facebook ruled legal

19 Dec 2019

Most Popular

mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
public sector

UK gov launches £300,000 SEN EdTech initiative

22 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020