The UK government has announced a new data protection bill to give individuals greater control of their online data, with businesses facing non-compliance fines of up to £17m.
Designed to shore up the nation’s cyber defences and make Britain “the most secure” place to do business online, the data protection bill will bring the the European Union’s General Data Protection Regulation (GDPR) into UK law.
Primarily, the bill will introduce measures to make it easier for consumers to withdraw consent for the use of their personal data, and enable individuals to require an organisation to disclose the personal data it holds on them.
Processing “sensitive” personal data will require the “explicit” consent of the individual, while the definition of personal data will extend to include IP addresses, internet cookies and DNA.
The Department for Digital, Culture, Media and Sport (DDCMS) stated that business owners would be supported to ensure customer and user data was managed and stored securely, while fines – up to four per cent of annual turnover – would only be used as a “last resort” for extreme recklessness.
Matt Hancock, minister of state for digital, said both companies and customers would be protected by the new data protection bill.
“Our measures are designed to support businesses in their use of data, and give consumers the confidence that their data is protected and those who misuse it will be held to account,” he said in a statement.
Alongside fresh obligations for businesses to protect information, new criminal offences will also be created to prevent organisations from “intentionally or recklessly” creating situations where anonymous users can be identified.
Hancock added: “The new data protection bill will give us one of the most robust, yet dynamic, set of data laws in the world.
“The bill will give people more control over their data, require more consent for its use, and prepare Britain for Brexit. We have some of the best data science in the world and this new law will help it to thrive.”
With significant fines on the table, Mike Cherry, chairman of the Federation of Small Businesses (FSB), said the announcement gave owners of small firms “a bit more” clarity over GDPR obligations, but failed to offer real guidance.
“However, for almost all [small business owners], the scope of the changes have not even registered on their radar. They simply aren’t aware of what they will need to do, which creates a real risk of companies inadvertently facing fines,” Cherry said in a statement.
Cherry added that the government needed to provide continued support for founders in advance of substantial changes.
“Learning the lessons of auto-enrolment, this should be allied to early, focused and clear communications. This is key for a gold standard approach to data protection that the Government seeks. FSB took part in the government’s consultation to request this, but there is no sign yet that this has registered. We will be taking this up with ministers.”
Representing the UK’s thriving technology sector, meanwhile, techUK CEO Julian David said the data protection bill was an important “statement of intent”.
David added: “techUK supports the aim of a data protection bill that implements GDPR in full, puts the UK in a strong position to secure unhindered data flows once it has left the EU, and gives businesses the clarity they need about their new obligations.”
Ten steps to prepare your business for General Data Protection Regulation changes
Sign up to our newsletter to get the latest from Business Advice.