The public is to be given greater control over the personal data companies hold them – including the right to be forgotten.
In a statement of intent the Government has committed to updating and strengthening data protection laws through a new Data Protection Bill announced today.
“It will provide everyone with the confidence that their data will be managed securely and safely,” a statement from the Department for Digital, Culture, Media and Sport said, quoting research showing more than 80% of people feel that they do not have complete control over their data online.
Under the plans individuals will have more control over their data by having the right to be forgotten and ask for their personal data to be erased.
This will also mean that people can ask social media channels to delete information they posted in their childhood.
The reliance on default opt-out or pre-selected ‘tick boxes’ to give consent for organisations to collect personal data will not be acceptable.
Businesses will be supported to ensure they are able to manage and secure data properly. The data protection regulator, the Information Commissioner’s Office (ICO), will also be given more power to defend consumer interests and issue higher fines, of up to £17 million or 4 per cent of global turnover, in cases of the most serious data breaches.
Matt Hancock, digital minister, said: “Our measures are designed to support businesses in their use of data, and give consumers the confidence that their data is protected and those who misuse it will be held to account.
“The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world.
“The bill will give people more control over their data, require more consent for its use, and prepare Britain for Brexit. We have some of the best data science in the world and this new law will help it to thrive.”
The Data Protection Bill will:
- Make it simpler to withdraw consent for the use of personal data
- Allow people to ask for their personal data held by companies to be erased
- Enable parents and guardians to give consent for their child’s data to be used
- Require ‘explicit’ consent to be necessary for processing sensitive personal data
- Expand the definition of ‘personal data’ to include IP addresses, internet cookies and DNA
- Update and strengthen data protection law to reflect the changing nature and scope of the digital economy
- Make it easier and free for individuals to require an organisation to disclose the personal data it holds on them
- Make it easier for customers to move data between service providers
New criminal offences will be created to deter organisations from either intentionally or “recklessly” creating situations where someone could be identified from anonymised data.
Elizabeth Denham, Information Commissioner, said: “Data protection rules will also be made clearer for those who handle data, but they will be made more accountable for the data they process with the priority on personal privacy rights.
“Those organisations carrying out high-risk data processing will be obliged to carry out impact assessments to understand the risks involved.
The bill will bring the European Union’s General Data Protection Regulation (GDPR) into UK law.
Mark Thompson, head of privacy advisory at KPMG, said: "Today's statement of intent by the Government shows that the UK is committed to protecting the privacy of individuals’ data and the way it is processed. This commitment also sends a strong message that the UK will have resilient data protection regimes, post-Brexit.
“This does however provide some challenges for business in terms of getting their houses in order, but, ultimately, this now means that privacy needs to be at the core of their business strategies.”
Video: Minister for digital Matt Hancock explains the new Data Protection Bill