New Data Protection Bill to bring GDPR into UK law

10 August 2017

The new Data Protection Bill will bring the European Union’s General Data Protection Regulation (GDPR) into UK law, helping to strengthen UK data protection law.

People are to have more control over their personal data and be better protected in the digital age under new measures announced by digital minister Matt Hancock.

In a statement of intent the government has committed to updating and strengthening data protection laws through a new Data Protection Bill. It will provide everyone with the confidence that their data will be managed securely and safely. Research shows that more than 80 per cent of people feel that they do not have complete control over their data online.

The Data Protection Bill will:

  • Make it simpler to withdraw consent for the use of personal data

  • Allow people to ask for their personal data held by companies to be erased

  • Enable parents and guardians to give consent for their child’s data to be used

  • Require ‘explicit’ consent to be necessary for processing sensitive personal data

  • Expand the definition of ‘personal data’ to include IP addresses, internet cookies and DNA

  • Update and strengthen data protection law to reflect the changing nature and scope of the digital economy

  • Make it easier and free for individuals to require an organisation to disclose the personal data it holds on them

  • Make it easier for customers to move data between service providers

Under the plans individuals will have more control over their data by having the right to be forgotten and ask for their personal data to be erased. This will also mean that people can ask social media channels to delete information they posted in their childhood. The reliance on default opt-out or pre-selected ‘tick boxes’, which are largely ignored, to give consent for organisations to collect personal data will also become a thing of the past.

Businesses will be supported to ensure they are able to manage and secure data properly. The data protection regulator, the Information Commissioner’s Office (ICO), will also be given more power to defend consumer interests and issue higher fines, of up to £17 million or 4 per cent of global turnover, in cases of the most serious data breaches.

New criminal offences will be created to deter organisations from either intentionally or recklessly creating situations where someone could be identified from anonymised data.