For those businesses and organisations that have spent months focusing on how to prepare for the implementation of the EU’s General Data Protection Regulation (GDPR) in May 2018, the announcement of a new UK data protection bill is likely to have come as quite a surprise.
In reality however, while it will be a significant update on the UK Data Protection Act from 1998, the primary impact of the new UK bill will be simply to support the implementation of GDPR into UK law.
The decision to incorporate the GDPR into UK law is a welcome one. When it comes into effect next year, the GDPR will require any business that processes data of EU citizens to comply with stricter privacy rules. It aims to bring more choice and control to data privacy, and enable the exercise of fundamental privacy rights of people, thus putting them back in control of their personal data.
The UK Data Protection Bill, will add some UK specific colour to some of the purposefully vague components of GDPR, which many member states will need to do.
However, with Britain’s exit of the EU fast-approaching, there was a possibility that British consumers could have found themselves to be considerably worse off than their European counterparts when it came to control over their personal data. British businesses would also have suffered since they would have had to comply with two different sets of data privacy rules. Having mismatched data regulations across the UK and Europe would have quickly become a compliance nightmare and would certainly have impacted on whether organisations chose to operate in the UK post-Brexit. The Repeal Bill, by design, means all EU law becomes absorbed into UK law, including GDPR anyway, with the UK Data Protection Bill providing local implementation details for UK citizens.
Empowering the end user
For consumers, the immediate effect will be increased assurances from service providers that they have control about who and what has access to their data. However, having more control of personal data could easily prove confusing for many people. For instance, in order for the new proposals to succeed, an individual user needs to be able to make informed decisions about a series of important issues, including data sharing, service registration and data revocation. It is therefore important that service providers are careful not to overload end users with complex consent, revocation and data management questions, causing more confusion rather than confidence.
This will necessitate major changes in both technology and mindset from organisations and businesses who today often see consent simply as a tick-box compliance exercise. In reality, businesses should not focus on compliance simply to avoid the heavy fine (£17m or up to 4 per cent of global annual turnover). Those organisations who comply with the new rules will also be able to reap the rewards by building trust and improving their customer relationships, thereby giving themselves significant opportunity for growth.
The technical challenges
Organisations will have to make a number of internal changes in order to comply with the new regulation. Businesses might require a data privacy/protection officer (DPO) to oversee new processes, including internal audits surrounding data and security practices, and to ensure compliance.
It is also likely that companies will need to introduce innovative technologies and systems to allow for additional features such as progressive user profiling. This kind of feature is necessary to ensure companies only request customer data when a customer signs up for a service and their information is specifically needed. Technology which allows end users to give consent to the parties who can have access to data will need to be implemented, as will technology which enables the customer to export or remove data.
There is no doubt that the Data Protection Bill is a huge step towards a more consumer-centric approach to personal data. It will be important, however, that the British government also makes sure that the bill is future-proofed so that it can be applied to new technologies and modes of interaction. The Internet of Things (IoT) is already accelerating the proliferation of connected devices and services that cannot be accessed and managed through traditional methods. Any regulatory changes will need to take into account the rapid pace of these innovations in order to avoid further disruption for businesses in the future.
Simon Moffatt, Director of Product Management, ForgeRock
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/