A new data protection bill will hand individuals vastly increased powers over the way their personal data are collected and processed, with big fines for organisations that fail to comply.
The bill will bring into UK law the EU’s General Data Protection Regulation, the most sweeping overhaul of regulations governing personal data for more than two decades.
The government said it would publish a “statement of intent” on the bill on Monday setting out its main elements. A bill is likely to be introduced to parliament before the end of this year.
The UK has already said it will implement GDPR, due to come into force on May 25 2018, in full and will continue to match its standards after Brexit.
According to the Department for Digital, Culture, Media and Sport, research has shown that “more than 80 per cent of people feel that they do not have complete control over their data online”.
Groups including the CBI and the Federation of Small Businesses say UK companies are waking up to the new compliance rules but too many are still unaware of GDPR or have not fully grasped its implications. Both the existing EU and UK data protection regimes were first devised before the advent of mass data collection, smartphones and social media groups such as Facebook and Instagram.
Tom Thackray, the CBI’s innovation director, said: “This legislation strikes the right balance in improving standards of protection while still enabling businesses to explore new products and services.”
“Data subjects” — ranging from social media users to employees, insurance customers, smartphone owners, bank account holders and users of health services including the NHS — will get a far bigger say in the way their personal data are collected, processed and stored.
Operating under the GDPR mantra of “privacy by design and default”, companies will have to set out clearly and without a fee what information they hold and how they intend to use it, and gain a clear and unambiguous indication of consent from the customer for the use of their data.
The definition of personal data will be significantly broadened to include online identifiers and anything that reveals someone’s location. Under a “right to be forgotten”, individuals will be able to ask organisations to delete or remove personal data — including embarrassing social media posts from their childhood and student years.
Crucially for businesses, the GDPR sets out much bigger fines for non-compliance — up to 4 per cent of global annual turnover, or €20m, whichever is greater. At present, the Information Commissioner’s Office can issue a maximum fine of £500,000 for breaches of data rules.
Matt Hancock, digital minister, said the bill “will give us one of the most robust, yet dynamic, set of data laws in the world. It will give people more control over their data, require more consent for its use, and prepare Britain for Brexit.”
He added: “We have some of the best data science in the world and this new law will help it to thrive.”
Elizabeth Denham, the information commissioner, said: “We are pleased the government recognises the importance of data protection, its central role in increasing trust and confidence in the digital economy and the benefits the enhanced protections will bring to the public.”