- Security TWENTY
- Women in Security
In a statement of intent the Government has set out how it plans to update data protection law in the UK, through a new Data Protection Bill.
The data protection regulator, the Information Commissioner’s Office (ICO), will be given more powers, including to issue higher fines than the current £500,000 maximum; of up to £17m or 4 per cent of global turnover. Also proposed is an expanded definition of ‘personal data’ to include IP addresses, internet cookies and DNA (things not really around when the current law, the 1998 Data Protection Act, was passed).
Matt Hancock, Minister of State for Digital at the Department for Digital, Culture, Media and Sport (DCMS) said: “Our measures are designed to support businesses in their use of data, and give consumers the confidence that their data is protected and those who misuse it will be held to account. The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world. The Bill will give people more control over their data, require more consent for its use, and prepare Britain for Brexit. We have some of the best data science in the world and this new law will help it to thrive.”
Elizabeth Denham, Information Commissioner, said: “We are pleased the government recognises the importance of data protection, its central role in increasing trust and confidence in the digital economy and the benefits the enhanced protections will bring to the public.”
According to the DCMS, data protection rules will be made clearer for those who handle data but they will be made more accountable for the data they process with the priority on personal privacy rights. As Professional Security reported in its June 2017 print issue, IT and other managers faced with complying with GDPR by the May 2018 deadline complained at a Westminster eForum conference on the subject, where Jonathan Bamford, head of parliamentary and government affairs at the ICO, spoke, that the regulator has not yet published guidance on how to actually comply in detail, for example on where and within what time limit to notify the ICO of a data breach.
The DCMS said that those organisations carrying out high-risk data processing will be obliged to carry out impact assessments to understand the risks.
Also released is research and analysis to quantify the benefits arising from personal data rights under the GDPR, for the Government by the consultancy London Economics. You can download the 180-page document here.
Rocio De La Cruz, Principal Associate at law firm Gowling WLG said that the Bill as announced in the Queen’s speech will be published after the Parliament returns on September 5, after the summer recess. “The Bill demonstrates the fact that the UK government takes the protection of citizens’ personal data seriously and that it is committed to maintaining a regime in line with the enhanced requirements stated in the forthcoming GDPR. This means that despite Brexit, businesses need to keep getting ready to assure compliance with a sterner regime.
“The new Bill aims, amongst other things, to modernise and update the regime for data processing by law enforcement agencies. The current position concerning criminal law enforcement that the processing of personal data for this purpose is excluded from the GDPR. What applies instead is the EU Directive on protecting personal data processed for the purpose of criminal law enforcement (Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016), which entered into force on 5 May 2016 and will have to be translated into national law before 6 May 2018.
“The European Commission stated that “the directive aims to protect the right of individuals to the protection of their personal data while guaranteeing a high level of public security”. It also clarified that the specific nature of police and judicial activities in criminal matters requires differentiated rules on the protection of personal data to allow free flow of data between member states where necessary.
“It is reasonable to believe that the implementation of the directive will take place before Brexit and that a post-Brexit legislation would maintain its essence. If so, this will mean that the criminal law enforcement regime will still cover both domestic processing and cross-border transfers of personal data and that citizens’ rights, like the right to receive compensation for damage suffered as a consequence of processing that has not respected the rules implemented by law, will remain.”
Kyle Wilhoit, senior cybersecurity threat researcher at DomainTools, a domain name search tool, said: “The GDPR helps offset the risk created by the constant curation of personally identifiable information (PII) online. The containment of PII should be a concern for any individual in this day and age. Giving a consumer the power to request deletion of data is an important move in the right direction, in my opinion. However, it’s important to note that if a consumer requests deletion, that data may still be living in cache somewhere. It’s likely that data posted publicly online will either never be fully purged or could take a considerable amount of time to be deleted.”
And Gordon Morrison, Director of Government Relations at IT security software company McAfee, said: “Recent global cyber events have highlighted the need to protect essential services from cyberattack. It is not surprising that the government is introducing greater responsibilities to organisations providing essential services and penalties to firms that suffer cyberattacks without adequate security measures being in place. This new regulation will potentially prove crucial in ensuring that a minimum standard of cybersecurity is maintained and help avoid unnecessary disruption to these essential public services.”