Sergey Nivens - Fotolia

Government to strengthen UK data protection law

New legislation will require social media platforms to delete information about children and adults when asked

UK citizens are to have greater control over their personal data, including the right to be forgotten, under a new data protection law aligned with the EU’s General Data Protection Regulation (GDPR).

The new measures, to be announced today by digital minister Matt Hancock, will require social media platforms to delete information about children and adults when asked.

This will also mean people can ask social media channels to delete information they posted in their childhood.

The planned UK Data Protection Bill is the result of the government’s commitment to update and strengthen data protection laws.

It is aimed at giving UK citizens the confidence that their data will be managed securely and safely. Research shows that more than 80% of Britons feel that they do not have complete control over their data online.

The bill is also part of the government’s plans to bring UK data protection law into line with the GDPR.

Hancock signalled the intention to align UK law with the GDPR in February 2017 when giving evidence to an inquiry about data protection post-Brexit by the House of Lords’ EU Home Affairs sub-committee.

He said the UK would replace the 1988 Data Protection Act with legislation that mirrors the GDPR in an attempt to achieve the government’s goal of ensuring an unhindered exchange of data between the UK and the EU after Brexit.

Tick boxes to go

Under the planned bill, the reliance on default opt-out or pre-selected “tick boxes”, which are largely ignored, to give consent for organisations to collect personal data will also become a thing of the past, and businesses will be supported to ensure they can manage and secure data properly.

The data protection regulator, the Information Commissioner’s Office (ICO), will also be given more power to defend consumer interests and issue bigger fines, of up to £17m or 4% of global turnover, in cases of the most serious data breaches.

These fines will replace previous monetary penalties that have been capped at £500,000, and are in line with the maximum fines set by the GDPR for non-compliance.

“Our measures are designed to support businesses in their use of data, and give consumers the confidence that their data is protected and those who misuse it will be held to account,” said Hancock.

“The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world. It will give people more control over their data, require more consent for its use, and prepare Britain for Brexit. We have some of the best data science in the world and this new law will help it to thrive.”

Read more about GDPR

The proposed legislation will also create new criminal offences to deter organisations from intentionally or recklessly creating situations where someone could be identified from anonymised data.

Information commissioner Elizabeth Denham said the ICO is pleased that the government recognises the importance of data protection, its central role in increasing trust and confidence in the digital economy, and the benefits the enhanced protections will bring to the public.

Data protection rules will also be made clearer for those who handle data, but they will be made more accountable for the data they process, with the priority on personal privacy rights. Organisations carrying out high-risk data processing will be obliged to carry out impact assessments to understand the risks involved.

Julian David, CEO of TechUK, said the UK has always been a world leader in data protection and data-driven innovation. “Key to realising the full opportunities of data is building a culture of trust and confidence, and this statement of intent is an important and welcome first step in that process,” he said.

“TechUK supports the aim of a Data Protection Bill that implements GDPR in full, puts the UK in a strong position to secure unhindered data flows once it has left the EU, and gives businesses the clarity they need about their new obligations.”

The Data Protection Bill is aimed at:

  • Making it simpler to withdraw consent for the use of personal data.
  • Allowing people to ask for their personal data held by companies to be erased.
  • Enabling parents and guardians to give consent for their child’s data to be used.
  • Requiring “explicit” consent to be necessary for processing sensitive personal data.
  • Expanding the definition of “personal data” to include IP addresses, internet cookies and DNA.
  • Updating and strengthening data protection law to reflect the changing nature and scope of the digital economy.
  • Making it easier and free for individuals to require an organisation to disclose the personal data it holds on them.
  • Making it easier for customers to move data between service providers.

Read more on Privacy and data protection