Jerry Sliwowski - Fotolia
Most UK organisations unaware of new data protection laws
The UK’s digital and culture secretary is urging businesses and charities to prepare for stronger data protection laws in the light of new information
Less than half of UK businesses and charities are aware of new data laws just four months before the compliance deadline, a government-sponsored survey has revealed, with awareness in the construction and manufacturing sectors particularly low.
Businesses in the finance and insurance sectors have the highest awareness of the changes to be brought in through the EU’s General Data Protection Regulation (GDPR), which will be implemented in UK law via the Data Protection Bill in May 2018.
The new UK data protection legislation sets similar requirements and penalties for non-compliance as the GDPR in an attempt by the UK government to ensure uninterrupted data flows between the UK and EU member countries after Brexit.
According to the government report, only one in four construction businesses polled are aware of the incoming regulation. Awareness is higher among businesses that say their senior managers consider cyber security a fairly high or very high priority, with two in five aware of the GDPR.
The survey found that just over a quarter of businesses and charities that had heard of the regulation have made changes to their operations ahead of the new laws coming into force.
Among those making changes, just under half of businesses, and just over one-third of charities, have made changes to cyber security practices, including creating or improving cyber security procedures, hiring new staff and installing or updating anti-virus software.
Speaking in Davos, UK digital, culture, media and sport minister Matt Hancock said the government is strengthening the UK’s data protection law to make it fit for the digital age.
The new legislation is aimed at giving UK citizens more control over their own data, he said, as well as supporting innovative businesses to maximise the potential benefits of increasing use of data in the digital economy.
Read more about the GDPR
- GDPR: It’s not too late to ensure real risks will be addressed, says data protection legal expert Stewart Room.
- The GDPR is widely expected to spark privacy claims after its compliance deadline of 25 May 2018, but Austrian lawyer Max Schrems is doubtful.
- Tools to help organisations comply with the EU’s General Data Protection Regulation.
- The full impact of the EU’s GDPR is complex, warns the head of ICT at T-Systems Belgium.
However, the minister said the survey shows that many organisations still need to act to make sure the personal data they hold is secure and they are prepared for the new EU and UK data protection laws.
Hancock said there is a “wealth of free help and guidance” available from the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC). “I encourage all those affected to take it up,” he said.
The UK tops the list in Europe for global tech investors, with its tech firms attracting more venture capital funding than any other European country in 2017. In December 2017, the UK was named by Oxford Insights as the best prepared country in the world for artificial intelligence (AI) implementation.
While in Davos, Hancock is expected to promote UK innovators in speeches covering policymaking for the Fourth Industrial Revolution and Generation AI.
The new UK data protection legislation will give the ICO more power to defend consumer interests and issue higher fines, of up to £17m or 4% of global turnover for the most serious data breaches, which is roughly in line with the penalties contained in the GDPR.
Organisations that hold and process personal data are urged to prepare and follow the guidance and sector FAQS freely available from the ICO.
The ICO’s dedicated advice line for small organisations has received more than 8,000 calls since it opened in November 2017, and the Guide to the GDPR has had more than one million views. The regulator also has a GDPR checklist, and 12 steps to take now to prepare for GDPR.
Read more about the Data Protection Bill
- Government to strengthen UK data protection law.
- Security industry welcomes planned UK Data Protection Bill.
- The Data Protection Bill is about securing UK data leadership.
- UK Data Protection Bill vs EU General Data Protection Regulation.
According to the government, there is still time to prepare, and many organisations will be compliant with the new rules if they are already complying with the existing Data Protection Act.
There will be no regulatory “grace” period, but the government said the ICO is a “fair and proportionate” regulator.
“Those who self-report, who engage with the ICO to resolve issues and demonstrate effective accountability, can expect this to be taken into account when the ICO considers taking action,” the government said in a statement.
Information commissioner Elizabeth Denham said the data protection law reforms put consumers and citizens first. “People will have greater control over how their data is used, and organisations will have to be transparent and account for their actions,” she said.
“This is a step-change in the law – businesses, public bodies and charities need to take steps now to ensure they are ready.”
According to Denham, organisations that commit to the spirit of data protection and embed it into their policies, processes and people will thrive in the new era of data protection.
“The GDPR offers a real opportunity to present themselves on the basis of how they respect the privacy of individuals, and over time this can play more of a role in consumer choice,” she said. “Enhanced customer trust and more competitive advantage are just two of the benefits of getting it right.”
Denham recommends that businesses follow free guidance on protecting themselves from online attacks published by the NCSC, such as the Cyber Essentials advice and the Small Business Guide.
The GDPR requires organisations to have appropriate measures in place to protect personal data, which could include:
- Documenting what data the organisation holds.
- Reviewing privacy notices.
- Updating procedures around individuals’ rights, including deleting personal data if asked.
- Planning how to handle subject access requests.
- Reviewing how consent to process data is gained.
- Considering children, and whether age verification or parental consent is required.
- Having procedures in place to detect, report and investigate data breaches.
- Appointing a data protection officer.
In the wake of recent high-profile data breaches, the government is urging businesses and charities to update their cyber security protections.
Cyber security measures businesses and charities can take up to help protect their data include:
- Using strong passwords and always downloading software updates.
- Adopting the Cyber Essentials scheme to protect against the most common threats.
- Following cyber security guidance available from the NCSC.