Introduction of Data Protection Bill on 25 May 2018
Many of you shall be aware that from next May, the UK shall have new legislation in relation to Data Protection. The Data Protection Bill is due to be introduced after 25 May 2018 and will incorporate the General Data Protection Regulations being introduced across the EU.
This legislation shall update data protection law and also introduce European privacy rules into UK Law. Further irrespective of the referendum decision to leave the EU, this law shall be introduced to the UK and will enable UK companies to comply with EU requirements when they handle data.
What are the key reforms?
The legislative changes introduce a “right to be forgotten” which shall allow individuals to ask that companies, which shall include for example social media companies, to erase their data. The UK is actually introducing additional measures to the GDPR which shall require that a social media company must delete all posts from an individual before they were 18 years of age if requested to do so.
At present the Data Protection Act 1998 is the relevant UK legislation. That Act is greatly misunderstood and in fact personal data to which the Act applies is limited in its scope. It covers information held on a computer or in a relevant filing system but that must be systematic structured filing system such as health records or perhaps housing records. Under the new legislation IP addresses, internet cookies and other categories shall now be included within the scope of personal data which shall be significantly broader.
Under the Data Protection Act 1998 there is legislative obligation for a Data Controller but not a Data Processor. That position is changing and now Data Processors which may include a broad number of the individuals in your organisation. The Data Processor will have an obligation under the Data Protection Bill to inform their Data Controller within 72 hours of a breach which may need to be notified to the national supervisory authority without undue delay. If a Data Processor fails to report a data loss to their Data Controller, then the Data Controller may be subject to regulatory action by the Information Commissioner.
Further there are requirements which enable an individual to request that their data be processed via a person rather than a machine when that information is profiled via an algorithm.
What does this mean for us?
Elizabeth Denham the Information Commissioner in the UK described the incumbent legislation as “Effective, modern data protection laws with robust safeguards are central to securing the public’s trust and confidence in the use of personal information in the digital economy, the delivery of public services and the fight against crime,”
The net effect is going to be that far more individuals within commercial organisations will have to understand the parameters of data protection and their obligations. Further it is likely that rise in awareness of the legislation and the potential that Data Processors can be subject to regulatory action will lead to an increase in reporting under the Data Protection Bill.
It is hoped that the new legislative requirements shall strengthen protection against fraud, money laundering and child abuse. It will certainly toughen the role of the Information Commissioner in the UK who will not be able to introduce fines of up to £17 million to organisations in breach or 4% of global turnover whichever is higher.
The greatest concern for business appears focused on data erasure. Even when information has been passed to third parties outside of your organisation, the data remains the responsibility of the organisation. In practice that is going to be very hard to practically and cost effectively manage and our view is that you should be reviewing your systems now for a smooth transition.
If you have any questions on this topic please do not hesitate to contact the writer David Riordan in our Litigation and Dispute Resolution Team on 01227 643270 or firstname.lastname@example.org.