GDPR – New UK Data Protection Laws on the Horizon

11 August 2017

The consultation ‘GDPR Call for Views’ closed back in April.  The Department for Digital, Culture, Media and Sports has recently published a statement of intent and has confirmed that a bill will be published in the autumn to transfer the GDPR, which is European legislation, into UK statute.  

Call for Views

The government initially spoke informally to “wide-ranging” stakeholders to form a broad understanding of different views. They then invited any person or organization interested in data protection to give their views through the call for views exercise.

The government received 170 responses from organisations that represented “wide-ranging” points of views. Responses were not only from the technology and legal sectors but also from local government and consumer protection groups. Private individuals also provided helpful contributions.

Planned Reforms

The government will ensure that the UK’s framework continues to protect personal data in the new digital age by:

Protecting individuals.

The government will protect privacy, strengthen rights and empower individuals to have more control over their personal data by providing easier access. UK citizens will be better protected by a combination of new and strengthened existing rights which include:

  • Privacy. The rules around consent are being strengthened and subject to additional conditions such as being unambiguous, easy to withdraw and consent must be explicit when processing sensitive personal data. Also, where a child is under the age of 13 consent for information services is required from a parent or guardian.
  • Improved data access. Individuals will find it easier to require an organization to disclose personal data it holds about them at no charge.
  • Data portability. The new rules will make it easier for customers to move data between service providers to give consumers greater choice and promote competition and innovation.
  • Right to be forgotten. Individuals will be able to ask for their personal data to be erased.
  • Profiling. Individuals will have greater say in decisions that are made about them based on automated processing.

Protecting organisations.

Organisations currently adhere to data protection requirements under the Data Protection Act 1998. The government will strengthen or amend the requirements, where appropriate to reflect the ever-changing digital economy. This will help organisations protect personal data, their reputation and their business by properly securing and managing data. This will be done by:

  • Building accountability but with less bureaucracy. The aim is to alleviate administrative and financial burdens on data controllers, but also make data controllers more accountable for the data being processed.  Also, businesses must notify the ICO within 72 hours of a breach taking place. Where there is high risk, businesses must notify the individuals affected.
  • Helping to reduce business exposure to risk of data protection breaches and the associated fines and reputational damage. Impact assessments must be carried out by organisations carrying out high risk data processing to understand and mitigate the risks to prevent inappropriate usage. Personal privacy rights must be of high priority when handing personal data.
  • Simpler rules. The rules will be consolidated to provide a clearer regime which is fair for data controllers and processors.

A tougher regulator.

The ICO will retain existing powers and gain additional authority to impose greater sanctions in the event of data breach. Empowerments include:

  • Investigative powers. The continued ability to request information from data controllers and processors, enter and inspect premises, carry out audits and require improvements.
  • Civil sanctions. Larger fines of up to £17m or 4% of global turnover will be allowed. Currently the maximum fine the ICO can issue is £0.5m.
  • Criminal sanctions. The ICO or CPS will continue to prosecute offenders. The most serious offences will also be recordable. Offences will be minimised to ensure that prosecutions continue to be effective and new offences will be created to deal with emerging threats. Certain criminal sanctions have a maximum penalty of an unlimited fine.
  • Protection for journalists and whistleblowers. The important role of journalists and whistleblowers in holding organisations to account and underpinning our free press will be protected by exemptions.

A bespoke regime for law enforcement purposes.

A bespoke framework for criminal justice agencies, tailored specifically for their needs, which governs data processing for law enforcement purposes. It is vital that criminal justice agencies can work in dialogue, within borders across them, to share information to protect the public and fight crime.

Latest News

Apr

23

Spotlight 64- Warning for employment agencies using umbrella companies

On 22nd April 2024 HMRC published Spotlight 64 which gives guidance for employment agencies that use umbrella companies.

Find out more
Apr

18

Mini Umbrella Appeal Judgement

The Judgement of Elphysic Limited & Others v The Commissioners for His Majesty’s Revenue and Customs was released earlier this week (albeit the Judgement date was 27 March 2024)

Find out more
Apr

18

Tackling non-compliance in the umbrella company market

Following the publication of a consultation in June 2023, HMRC have published a policy paper that states they will publish a response to the consultation in due course.

Find out more

Seneca House
Buntsford Park Road
Bromsgrove
Worcestershire
B60 3DX

0121 445 6178
enquire@aspirepartnership.co.uk