UK to enshrine GDPR with data protection law revamp

The proposals will see Britons
given more control over what happens to personal information,
meaning they can ask some for some data to be deleted.

Firms who flout the proposals, which are part of an overhaul
drafted by digital minister Matt Hancock, will face potentially
large fines – up to £17 million or 4% of global
turnover. This is up from £500,000 in current law, and
the powers will be enacted by the UK’s Information
Commissioner, the government said.

“The new Data Protection Bill will give us one of the most
robust, yet dynamic, set of data laws in the world,” said
Hancock in a statement.

“It will give people more control over their data, require
more consent for its use, and prepare Britain for Brexit.”

The new proposals will bring British law in line with the
GDPR, which is set to go live next year, setting a number of
new obligations on companies. These will include:

• Making it
simpler for people to withdraw consent for personal data to be

• Let people askj
for data to be deleted

• Obtain explicit
consent before processing sensitive personal data

• Allow people to
obtain the information the companies hold on them much more

The proposals will also make re-identifying people from
anonymised data into a criminal offence, whilst also expanding
the term data to include IP addresses, DNA and cookies.

Elizabeth Denham, the information commissioner, said: “We
are pleased the government recognises the importance of data
protection, its central role in increasing trust and confidence
in the digital economy and the benefits the enhanced
protections will bring to the public.”

Though the law is in line with the EU’s GDPR, a
question mark still remains over what purpose it serves, as UK
companies would still be subject to the EU rule once it comes
into force in May. With the country’s exit from
the European Union pending, this would possibly cover for that,
although it is important to note that the GDPR covers any data
controllers (organisation that collects data from EU
residents), processors (organisation that processes data on
behalf of data controller, or data subject (person) within the

In other words, UK companies who operate in Europe or
process the data of European citizens would have been subject
to GDPR post-Brexit anyway.

According to Veritas Technologies, a cloud data management
business, a recent survey of more than 900 companies found
31%claimed to be ready for the new EU rules, but almost a fifth
of those admitted they could not erase or modify personal

The cost of breaching the new rules, whether they be the
UK’s version or the EU’s, are
potentially high. In its statement of intent, the government
said companies carrying out high-risk data processing will be
“obliged to carry out impact assessments to understand the
risks involved” in handling it. This could impact the data
centre and telecoms market significantly.

Leave a Reply

Your email address will not be published. Required fields are marked *


18 − 1 =