UK moves to mirror GDPR with Data Protection Bill
Bill begins journey through Parliament
The government's Data Protection Bill began its journey through Parliament today with the intention of replacing the current Data Protection Act enshrined in 1998.
The bill, published today, will also transfer the EU's General Data Protection Regulation (GDPR) into UK law ahead of the UK's exit from the EU, to ensure the union and the UK can still share data across borders.
Matt Hancock, minister of digital, said in a statement: "We are strengthening Britain's data rules to make them fit for the digital age in which we live and that means giving people more control over their own data.
"There are circumstances where the processing of data is vital for our economy, our democracy and to protect us against illegality. Today, as we publish the Data Protection Bill, I am offering assurances to both the public and private sector that we are protecting this important work."
The new bill aims to modernise the UK's data protection framework to account for the value of people's personal data today, offering people stronger rights over what others can do with their data, and requiring companies to gain people's consent to use their information.
Under the bill, the current freedom of the press to access data in the public interest will be maintained, as well as ensuring universities and museums need not comply with some measures that would hinder their research.
It also outlines measures to prevent doping in sports, to prevent terrorist financing, money laundering, and child abuse.
The new bill makes clear that - as Hancock suggested to the House of Lords' EU Home Affairs sub-committee in February - that the UK will reflect GDPR in its own data protection laws in order to ensure the data-flows between the areas continue uninterrupted.
Under the plans, individuals will have more control over their data by having the right to be forgotten and ask for their personal data to be erased. Unlike GDPR, this will also mean that people can ask social media channels to delete information they posted in their childhood.
The government said that the reliance on default opt-out or pre-selected 'tick boxes' for data collection consent, "which are largely ignored" will also disappear.
The data protection regulator, the Information Commissioner's Office (ICO), will be given more power to defend consumer interests and issue higher fines, of up to 17 million or 4% of global turnover, in cases of the most serious data breaches.
Information Commissioner Elizabeth Denham welcomed the bill, saying: "Effective, modern data protection laws with robust safeguards are central to securing the public's trust and confidence in the use of personal information within the digital economy, the delivery of public services and the fight against crime. I will be providing my own input as necessary during the legislative process."
Sarah Armstrong-Smith, head of continuity & resilience at Fujitsu UK & Ireland, added: "The new proposals are not a bad thing, as it is a good sign that the bill will fall in line with GDPR and we will continue to see the principles applied even once the UK leaves the EU."
Welcoming the bill, Sheila FitzPatrick, chief privacy officer at NetApp, said businesses must still continue their efforts to comply with GDPR, while doing so will ensure compliance.
She said: "While the bill will help bring the UK up to the European standard and replace the woefully outdated Data Protection Act, businesses cannot rest on their laurels and assume the government will achieve compliance on their behalves.
"UK businesses of all sizes will still have to reassess their compliance framework to ensure they are able to address key GDPR requirements like the right to be forgotten, and explicit and unambiguous consent ahead of the 25 May 2018 deadline -- which is just over 250 days away."