Digesting data protection in the UK
It is not uncommon for companies to become unstuck when trying to ensure data protection in the UK. There is a lot of information to digest, and even more causes for concern given the forthcoming changes to be implemented by the general data protection regime (GDPR). GDPR comes from the E.U.
In this insight, we look at the proposed changes to the data protection regime at national level, here in the UK.
Data protection in the UK
In this year’s Queen’s Speech, a new data protection bill (Bill) was proposed. Exactly what the Bill will entail will be for the legislative drafters. It is proposed that the Bill will replace and supersede the Data Protection Act 1998 (Act).
Content of the Bill
It is assumed that the Bill will follow the principles of the Act. However, the aim of the Bill is to ensure that the UK keeps pace with the digital economy and increasing use of cloud based services as a form of business model. We can expect the Bill to account for:
- A regime that considers the digital age and allows individuals (notably consumers) to control their data;
- Further restrictions on the use and transfer of data during the course of trade.
Those familiar with GDPR will be aware that a data subject (individual) will have to provide their free, informed, and specific consent. This will not be avoided – likely respected and strengthened.
Information on data subjects
There is indication that the Bill will include provisions that:
- Allow for a data subject to request for their data to be deleted or no longer processed;
- Force companies to review and delete data no longer used unless there are “legitimate grounds” for its retention. The grounds will likely be strictly qualified;
- Require social media platforms to delete information held about individuals (data subjects) at the age of 18.
The devil will be in the detail. But what we can expect is a right for the regulator (Information Commissioner’s Office) to impose severe penalties in the event of non compliance. Penalties are usually calculated as a fine equal to a specific percentage of a business’s turnover. This is to ensure a degree of fairness across a range of company sizes.
What does this mean for data protection in the UK?
Regulatory penalties are often not the biggest concern. Media coverage can be the biggest concern. Consumers are becoming increasingly protective over their data, and rightly so given the well reported recent data breaches.
The Bill will look to cover off these consumer concerns, to ensure that the UK remains attractive for trade following Brexit. There is an overreaching principle of “adequate protection” that we are confident the legislature will want to give off when passing the Bill through parliament.
In reality, there are practical steps that can be taken by businesses to point towards compliance at the outset.
Practical health check
As a starting point, businesses should be:
- Looking at data inflows and outflows – where is the data coming from and who receives it? Does the business process data, and if so, who is the ultimate recipient?;
- Determining who transfers, processes, and holds data. This can often be a tricky exercise but one we can assist with via a data protection audit service;
- Reviewing internal provisions relating to employees’ data access. Who has access to the data, and are there protections in place for the business in the event of employee non compliance when accessing data?;
- Updating standard terms of engagement, commercial contracts, and website conditions to capture the new risks posed. A lot of work will have to be done, and simple non legalistic language is desired. This is often an art in itself.
There is a pattern emerging with new data protection principles. Rather than wait for a breach and then face penalties, regulators are looking for companies to take pro active and positive steps to ensure compliance in the first instance. Failing to do so can lead to financial penalties and reputational damage.
John Deane, partner in the commercial team, helps guides businesses through the maze of the data protection regime. Please do not hesitate to get in touch with John on 020 7078 0326.