As featured in the September 2017 print issue of Professional Security magazine, the Westminster Government has published the UK Data Protection Bill. That’s how the UK Government proposes to bring into UK law the European Union-wide GDPR (general data protection regulation) as an EU-wide update, in the UK’s case replacing the 1998 Data Protection Act (DPA); regardless of last year’s Brexit vote. For the Bill in full, covering such things as rights of the data subject and transfers of personal data to third countries, visit the UK Parliament website. The GDPR is due to come into force by May 2018.
Elizabeth Denham, Information Commissioner, said: “The introduction of the Data Protection Bill is welcome as it will put in place one of the final pieces of much needed data protection reform. Effective, modern data protection laws with robust safeguards are central to securing the public’s trust and confidence in the use of personal information within the digital economy, the delivery of public services and the fight against crime. I will be providing my own input as necessary during the legislative process.”
Darren Anstee, chief technology officer at Arbor Networks, said: “Over the past 20 years, technology has transformed the world as we know it and with the looming GDPR it’s good to see UK government clarifying a way forward for the DPA. Most business are (hopefully) already on their way to putting the right frameworks, processes and controls in place to comply, given the deadline of May 2018. For businesses that need to overhaul their processes, that window is enough time to really move the needle – but they need to act now. That starts with four big questions. What data do we store? Do we need to store this data? Is that data secure? Do we share it, why and who with? Once businesses understand the answers to these questions, they will be better placed to get the correct defences and incident response plan in place.
“What this bill does is provide some clarity around the exemptions that were a part of the DPA, given the adoption of GDPR, which can only be a good thing for UK research and business.”
Lal Hussain, Director IT Applications at IT firm Insight UK , said: “This new Data Protection Bill has the potential to completely reshape the way we approach data protection in the UK, and comes at a time when many companies, both large and small, are being overwhelmed with data. It presents a pragmatic approach as under the new laws journalists, financial firms and anti-doping bodies could receive exemptions to protect personal data, in instances like protecting freedom of press and preventing fraud.
“However, at the same time it brings into focus how important maintaining the security of the data is, UK firms that suffer a serious data breach could be fined up to £17m or 4pc of global turnover, meaning that now more than ever how you manage data privacy could become as important to customer retention as the overall buying experience.
“This level of punitive risk has the potential to become a make-or-break factor for many organisations. Development of a mature approach to data in this modern age is therefore critical, and the first step is recognising that data protection, storage and assessment is a key part of the overall business. Companies both big and small must build teams that reflect this reality, and take responsibility for the data they hold. With great power comes great responsibility.”
And Sarah Armstrong-Smith, Head Continuity and Resilience at Fujitsu UK & Ireland said: “In general terms, the new Data Protection Bill proposals are not unexpected and the GDPR makes a number of exclusions already. Anything that is around national security, public services, criminal justice, and journalism are already excluded to a certain degree, in order to allow the authorities to do their jobs properly, and are in the interest of the public and national security itself. The new proposals are not a bad thing, as it is a good sign that the bill will fall in line with GDPR and we will continue to see the principles applied even once the UK leaves the EU.
“The exemption with this new bill shouldn’t negate the fact that they have responsibilities to protect the rights and freedoms of the data subjects, and will still need to secure it. They will need to justify why the data is being collected and won’t have free reign to do as they wish; and any data handling still needs to be lawful. It’s about having trust and transparency, and ultimately that the wider public and the national interests of the country are being protected. The justification for the way data is collected and handled needs to be done in an appropriate manner, and that’s where the bill and GDPR come into play.”