At the beginning of August, the UK government announced proposals for a new Data Protection Bill (DPB) which will replace the current Data Protection Act. The new law is intended to give individuals greater control over their personal data, especially with regards to the right to be forgotten.
For individuals, it is a good thing. It will be easier and free of charge for individuals to request companies to disclose the data it holds on you, and will require your clear and explicit consent for them to continue to contact you, and not just on a generic basis. You will be able to give your consent on a number of options, i.e. they will no longer be able to ask you to tick one generic box giving them permission to ‘keep in touch’, rather, you will be able to opt in, or not, to an entire menu of options, e.g. newsletter, new products, etc.
If a company is found to be in breach of the new law, fines will be a lot heftier, with a maximum of £17m or 4% of global turnover. For SMEs, this could be the difference between survival and closure.
Digital Minister Matt Hancock said that the new Bill “will give us one of the most robust, yet dynamic, set of data laws in the world. The Bill will give people more control over their data, require more consent for its use, and prepare Britain for Brexit. We have some of the best data science in the world and this new law will help it to thrive.”
The similarities with GDPR
While the changes in the law for DPB sound all very well, what the government is proposing is virtually identical to the new European GDPR law which will come into effect next May. GDPR will also give us robust and dynamic data laws – and as the new EU rules will come into force before any possible Brexit, the UK will have to be compliant anyway.
To be fair, there are two aspects of the DPB which do go further than GDPR. The new UK law will extend the right to be forgotten on social media posts dating from before people were 18, if they request it. It also makes it a criminal offence to alter data records following a Subject Access Request. Everything else, such as the new rules on IP addresses, cookies, DNA etc, is exactly the same as GDPR.
Lumina Technologie’s MD Richard McBarnet is simultaneously impressed and unimpressed by the government’s announcement. “I applaud the fact that the government is taking data privacy seriously and embracing GDPR despite Brexit. Overall, GDPR is a positive thing and it is good that the government is at least making its position clear in the muddy waters of Brexit. But the government’s claim that DPB sets the UK apart falls flat when you compare it to GDPR. In fact, I really am struggling to see the differences between DPB and GDPR and it feels a little like the government is trying to take credit for pan-European work that has gone into GDPR.”
Everything you wanted to know about GDPR