Data protection laws mean stiffer fines for business breaches

The government has signalled its intention to update and strengthen data protection laws through a data protection bill, ushering in large fines for businesses which fail to meet the new requirements

The bill is designed to implement the requirements of the EU’s General Data Protection Regulation (GDPR), which comes into effect in May 2018.

It gives the data protection regulator, the Information Commissioner’s Office (ICO), wider powers including the ability to issue higher fines, of up to £17m or 4% of global turnover, in cases of the most serious data breaches by businesses.

Under the plans individuals will have more control over their data by having the right to be forgotten and ask for their personal data to be erased. This will also mean that people can ask social media channels to delete information they posted in their childhood.

The government said the reliance on default opt-out or pre-selected ‘tick boxes’, which are largely ignored, to give consent for organisations to collect personal data will also become a thing of the past.

Matt Hancock, minister of state for digital, said: ‘Our measures are designed to support businesses in their use of data, and give consumers the confidence that their data is protected and those who misuse it will be held to account.

‘The new data protection bill will give us one of the most robust, yet dynamic, set of data laws in the world. The bill will give people more control over their data, require more consent for its use, and prepare Britain for Brexit. We have some of the best data science in the world and this new law will help it to thrive.’

The regulations have been developed following a month-long ‘call for views’ consultation earlier this year which examined potential derogations within the GDPR, which were focused largely on issues such as the age of young people who can ask for information to be deleted, the rules for academic research, and safeguarding the role of whistleblowers and journalists. 

The new rules will require ‘explicit’ consent to be necessary for processing sensitive personal data, and expand the definition of ‘personal data’ to include IP addresses, internet cookies and DNA.

In addition, the regulations will make it easier for customers to move data between service providers. The government said that where individuals change internet service provider, if they are using email or file storage services to store personal photographs or other personal data they should be able to move that data.

Individuals will have greater say in decisions that are made about them based on automated processing. Where decisions are based on solely automated processing individuals can request that processing is reviewed by a person rather than a machine.

Under the new rules, businesses must notify the ICO within 72 hours of a data breach taking place, if the breach risks the rights and freedoms of an individual. In cases where there is a high risk, businesses must notify the individuals affected.

There is to be a new offence of intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data. Offenders who knowingly handle or process such data will also be guilty of an offence. The maximum penalty would be an unlimited fine.

A second new offence relates to the altering records with intent to prevent disclosure following a subject access request. The scope of the offence would apply not only to public authorities, but to all data controllers and processors. The maximum penalty would be an unlimited fine in England and Wales or a level five fine in Scotland and Northern Ireland.

Businesses which process certain categories of data will be required to have a mandatory data protection officer (DPO). This is a new role and will advise data controllers on data issues, handle complaints and ensure compliance with the directive.

There is a requirement for a more prescriptive logging requirement to be applied to specific operations of automated processing systems including collection, alteration, consultation, disclosure, combination and erasure of data, so a full audit trail will be available.

Elizabeth Denham, Information Commissioner, said: ‘Data protection rules will also be made clearer for those who handle data but they will be made more accountable for the data they process with the priority on personal privacy rights. Those organisations carrying out high-risk data processing will be obliged to carry out impact assessments to understand the risks involved.’

Mike Cherry, national chairman at the Federation of Small Businesses, said: ‘Small businesses need to get ready for the introduction of GDPR, and today’s statement provides a bit more information. However, for almost all smaller firms, the scope of the changes have not even registered on their radar. They simply aren’t aware of what they will need to do, which creates a real risk of companies inadvertently facing fines.

‘As rules come into force in May 2018, we need to see a commitment from the government and the ICO to provide support and guidance for the 5.5m-strong small businesses community in good time.’

Details of the consultation and the draft regulations are here.

Pat Sweet |Reporter, Accountancy Daily [2010-2021]

Pat Sweet was the former online reporter at Accountancy Daily and contributor to the monthly Accountancy magazine, pub...

View profile and articles

Average: 5 (1 vote)

Rate this article

Related Articles