A new Data Protection Bill, announced as part of the Queen’s Speech, will bring into UK law the European Union General Data Protection Regulation (GDPR) and the new Directive, replacing the 1998 Data Protection Act.
It’ll also give people new rights to ‘require major social media platforms to delete information held about them at the age of 18’; as mentioned in the Conservative Party manifesto at the June 2017 general election. As required by the GDPR, the Bill will update the powers and sanctions for the data protection regulator, the Office of the Information Commissioner (ICO).
In the speech, the Queen promised collective international action, and strong partnerships with civil society, to combat extremism. For background on the Queen’s Speech visit gov.uk.
Also promised, as a result of the recent terrorist attacks in Manchester and London, is a review of counter-terrorism powers; and how to work with online companies to reduce and restrict the availability of extremist material online. The Government is to set up a ‘Commission for Countering Extremism’, to expose examples of extremism; and identify what the UK Government can do against extremism.
As significant were some things left out that were also in the Tory manifesto; such as the Serious Fraud Office (SFO) merging into the National Crime Agency (NCA); and a national infrastructure police force, made up of the British Transport, Ministry of Defence and Civil Nuclear Constabulary forces.
Comments
Peter Carlisle, VP of EMEA at cyber product company Thales e-Security, said: “It is very encouraging to see that the government will be placing a greater emphasis on establishing a world-class data protection regime in the UK with the introduction of this new law. The greater the volumes of data accessible online, the greater the potential for exposure and the increased chance of hackers taking advantage of systems that some have thought impregnable.
“Ensuring that both individuals and businesses have as much control as possible over where and how their data is used is critical to the UK’s broader cybersecurity strategy. As high-profile data breaches continue to plague our society, it is only right that the UK government is implementing more fortified measures to tackle them, particularly as we draw nearer to the widespread introduction of the General Data Protection Regulation next year.”
And giving a legal view, Rocio De La Cruz, Principal Associate at Gowling WLG said the new Data Protection Bill shows that the UK government takes the protection of citizens’ personal data seriously and that it is committed to maintaining a regime in line with the coming GDPR. “This means that despite Brexit, businesses need to keep getting ready to assure compliance with a sterner regime.
“The new Bill aims, amongst other things, to modernise and update the regime for data processing by law enforcement agencies. The current position concerning criminal law enforcement means that the processing of personal data for this purpose is excluded from the GDPR. What applies instead is the EU Directive on protecting personal data processed for the purpose of criminal law enforcement (Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 ), which entered into force on 5 May 2016 and will have to be translated into national law before 6 May 2018.
“The European Commission stated that “the directive aims to protect the right of individuals to the protection of their personal data while guaranteeing a high level of public security”. It also clarified that the specific nature of police and judicial activities in criminal matters requires differentiated rules on the protection of personal data to allow free flow of data between member states where necessary.
“It is reasonable to believe that the implementation of the directive will take place before Brexit and that a post-Brexit legislation would maintain its essence. If so, this will mean that the criminal law enforcement regime will still cover both domestic processing and cross-border transfers of personal data and that citizens’ rights, like the right to receive compensation for damage suffered as a consequence of processing that has not respected the rules implemented by law, will remain.”
Adenike Cosgrove, Cybersecurity Strategy, EMEA at Proofpoint said: “UK companies that have buried their heads in the sand in the hope that Brexit would exonerate them from GDPR compliance must now act. Organisations that collect, process and store personal data of EU and UK residents must have a good understanding of where all data resides and most importantly, take the necessary steps to protect it. This can be very challenging, particularly for large companies; without the proper technology and processes in place, complying with new data regulations by May 2018 will prove almost impossible.”
