UK to strengthen data protection law


The UK’s new Data Protection Bill promises to enhance individual rights when it comes to the right to access your data, data portability and the right to be forgotten.

Under the plans, among others, individuals can ask for their personal data to be erased.

This means that people can ask social media channels to delete information they posted in their childhood. The reliance on default opt-out or pre-selected “tick boxes”, which are largely ignored, to give consent for organisations to collect personal data will also become a thing of the past, according to a statement from the UK’s Department for Digital, Culture, Media and Sport.

In its statement of intent, released on Aug 7, the ministry said the proposed laws will provide everyone with the confidence that their data will be managed securely and safely, noting that one research showed that more than 80% of people feel that they do not have complete control over their data online.

“The bill will tighten data protection requirements. In particular, it makes it easier for individuals to access their own data and understand their data protection rights. Furthermore, if an individual requests information on the ways in which their personal information is processed, the data controller will be required to provide that information free of charge,” according to the 35-page statement entitled, “A new Data Protection Bill: Our planned reforms”.

With the online explosion the world over, data protection laws are becoming a central piece of legislation as they control how personal information is used by organisations, businesses or the government. People responsible for using data are required to follow certain rules, called “data protection principles” by some parties.

UK Minister of State for Digital Matt Hancock said the measures proposed in the bill are designed to support businesses in their use of data, and give consumers the confidence that their data is protected and those who misuse it will be held accountable.

“The new Data Protection bill will give us one of the most robust, yet dynamic, set of data laws in the world. The Bill will give people more control over their data, require more consent for its use and prepare Britain for Brexit. We have some of the best data science in the world and this new law will help it to thrive,” he said in the statement.

He added that bringing the European Union (EU) law into the UK’s domestic law will help to prepare the UK for the future after it leaves EU.

He noted that the EU General Data Protection Regulation (GDPR) and the Data Protection Law Enforcement Directive have been developed to allow people to be sure they are in control of their personal information, while continuing to allow businesses to develop innovative digital services without the chilling effect of over-regulation.

The document noted that businesses will be supported to ensure they are able to manage and secure data properly.

The data protection regulator, the Information Commissioner’s Office, will also be given more power to defend consumer interests and issue higher fines of up to £17 million (RM95.03 million), or 4% of global turnover, in cases of the most serious data breaches.

On right to accessing your data, the EU’s GDPR requires that data controllers provide individuals the first copy of the personal data undergoing processing free of charge. For any further copies requested, the controller may charge a “reasonable fee” based on administrative costs.

On the new right to data portability, it allows for individuals to receive the personal data, which they have provided to a controller, in a structured, commonly used and machine-readable format, and to transmit them to another data controller. This may include data collected through the tracking and recording of an individual such as an application recording heartbeat or technology used to track browsing behaviour.

Elaborating on the right to be forgotten, the GDPR has widened the existing “right to be forgotten”, including the right for individuals to obtain erasure of personal data relating to them and the abstention from further dissemination of such data.

“The principle difference is a strengthening of the law from being applicable when substantial damage or distress is likely to be caused, to whenever a data subject withdraws their original consent for the data to be available, as long as it is no longer necessary or legally required for the grounds on which it was originally collected, or there are no overriding legitimate grounds for processing,” according to the document of intent.