European data protection law to give consumers more control

UK information commissioner calls on business to focus on data protection, not only to comply with the new data regulations, but also foster the digital economy and gain a competitive edge

The European Union (EU) General Data Protection Regulation (GDPR) will require organisations to make the personal privacy rights of consumers a top priority, said the UK privacy watchdog.

The GDPR, which becomes enforceable by law in May 2018, will give people stronger rights to be informed about how their personal information is used, said UK information commissioner Elizabeth Denham. 

The GDPR will bring “a more 21st century approach” to how personal data is processed and that organisations should seize the opportunity to set out a culture of data confidence in the UK, she told the ICO’s annual Data Protection Practitioners’ Conference in Manchester.

“The GDPR provides more protections for consumers and more privacy obligations for organisations. It aligns with people’s expectations for strong safeguards, and recognises the advance of digital services in the public and private sector,” she said.

While the GDPR gives specific obligations for organisations – for example, around reporting data breaches and transferring data across borders – Denham emphasised that the real change for organisations will be understanding the new rights for consumers.

“I want to see comprehensive data programs as the norm, organisations better protecting the data of citizens and consumers, and a change of culture that makes broader and deeper data protection accountability a focus for organisations across the UK,” said Denham.

The Information Commissioner’s Office (ICO) has the power to impose monetary penalties of up to £500,000, but the GDPR provides for fines up to €20m or 4% of annual worldwide turnover, whichever is greater. 

Denham said while the GDPR gives regulators greater enforcement powers, there is a carrot as well as a stick.

“As regulators we prefer the carrot. Get data protection right, and you can see a real business benefit,” she said.

“I believe there is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals. Over time, this can play a real role in consumer choice.”

GDPR increases consumer control

Strengthened rules around consent will give consumers choice and ongoing control over how organisations use their data, as well as ensuring an organisation is transparent and accountable.

The GDPR will also introduce a duty on all organisations to report serious data breaches to the regulator and, in some cases, to the individuals affected.

Under GDPR, UK citizens will benefit from new or stronger rights, such as being informed about how their data is used; around data portability across service providers; the ability to erase or delete their personal information; access to the personal data an organisation holds about them; the ability to correct inaccurate or incomplete information; and over automated decisions and profiling.

Post-Brexit, Denham said the UK government will need to answer questions about how the UK’s digital economy’s need for data to flow across borders will be met and how the UK can continue to foster economic growth while still respecting citizen’s rights.

“When the government comes to answer those questions beyond the implementation of GDPR in 2018, we expect to be at the centre of many conversations, speaking up for continued protection and rights for consumers, and clear laws for organisations. [We will also be] addressing the strong data protection laws we’d need if we want to keep the UK’s approach at an equivalent standard to the EU,” she said.

Giving evidence to the House of Lords EU Home Affairs Sub-Committee on 1 March 2017, Stewart Room, head of legal data protection and cyber security at PricewaterhouseCoopers (PwC), said the GDPR essentially provides a code for good business practices in handling personal data.

“Stripping out the legal components and enforcement mechanisms, we find in the GDPR a framework that most businesses would agree as being necessary for data handling.

“As far as consumers are concerned, the GDPR gives more rights over personal data, such as greater right to transparency and a greater right to intervene in the operation of business if they have concerns [about their personal data],” he said.

Read more about GDPR

The GDPR also includes mandatory breach disclosure that will help consumers to understand serious incident concerning confidentiality and security, and it acts as a transparency mechanism as well as a mechanism to help those affected mitigate any harm.

Room said in the light of the fact that certainty is important for business, having a “GDPR Act” post-Brexit where the legislation is transposed verbatim is going to be a “significant advantage”.

This view is consistent with the UK government view expressed by digital minister Matt Hancock, who faced questions from the same sub-committee in February 2017 on how best to ensure there are unhindered flows of data between the UK and the EU after Brexit.

He told the same sub-committee that the UK will replace the 1988 Data Protection Act with legislation that mirrors the GDPR, saying he was confident that this strategy would ensure the UK achieves its goal of free data flows with the EU post-Brexit.

In addition to GDPR-like legislation, Room said it is also important for the ICO as the UK privacy regulator to remain relevant and penetrative as well as being able to lead.

“We need to ensure that our regulator is sufficiently resourced in terms of skill and capability so that no-one can levy the charge that the [UK] data protection regulation is not working in operations,” he said.

Read more on Privacy and data protection