New UK data protection laws: everything you need to know for your online life

In an effort to move with the times, the UK government is updating its policy about data protection. The newly announced Data Protection Bill builds on the Data Protection Act of 1998, and the EU General Data Protection Regulation (GDPR), giving citizens greater control over how their data is collected, and ensuring that the data is kept safe once collected. 

Among other things the bill will introduce a 'right to be forgotten', make it easier for individuals to see what information companies and organisations hold about them, and end the practice of websites requiring users to opt out of having their data shared.

The face of the digital landscape has changed massively since 1998, and the new bill tries to adjust the legal regulations to meet modern requirements. One of the major changes that has happened is the use of data as a valuable commodity. 

Data is the new oil

It’s a phrase that gets thrown about quite a lot nowadays but ‘data is the new oil’ is still the best analogy for the state of the emerging market. For context, here is an excerpt from the announcement of the bill that is particularly pertinent:

"Digitally-deliverable services comprise approximately 75 percent of products traded and delivered online. Global flows, as a whole, have increased world GDP by at least 10 percent, with the sum total of around £5 trillion in 2014 alone. Data flows account for around £1.7 trillion of this effect which means that data flows are exerting a larger impact on growth than traditional goods flows."

With social media sites that are essentially free-to-use, our personal information (including any data that we enter, along with our usage and browsing habits) becomes the way that the company monetises its service. 

What this means is that we are agreeing to our personal information being used. Most of the time we agree to this with tick-boxes on signing up, without ever reading the user agreements before signing away our personal information. Then once we’ve signed up, we don’t know if we can ever rescind that consent, and what rights we have to our information after we've signed up.

The main policies that are being implemented in the Data Protection Bill are:

  • Privacy: Strengthened consent rules that will mean consent is unambiguous and easy to withdraw. The bill looks to end the reliance on opt-out tickboxes that are "largely ignored" so that users know what they are signing up for.
  • Improved data access: Individuals will find it easier to access information that organisations hold about them at no charge.
  • Data portability: New rules will make it easier for customers to move data between service providers. This means that if you're using email or file storage services to store personal photographs or personal data, you should be able to move that data.
  • Right to be forgotten: Individuals will be able to ask for their personal data to be erased. This will also include the ability for individuals to request that posts on social media be removed. This is specifically tailored towards posts that users made as children.
  • Profiling: Individuals will have greater say in decisions that are made about them based on automated processing. Where decisions are based solely automated processing individuals can request that processing is reviewed by a person rather than a machine.  

Keeping your data safe

There are also safeguards that are being put in place that will help to keep your data safe once it is in the hands of the companies that you share it with. 

These include changes to sanctions, implementation of new rules regarding information sharing, and the creation of new legal offences. These include:

  • Civil sanctions: Currently the maximum fine that can be imposed for a data breach is £0.5 million. Larger fines of £17 million or 4% of turnover will be allowed.
  • Identification: A new offence for companies that intentionally of recklessly re-identify individuals from anonymised data. The maximum penalty would be an unlimited fine.
  • Altering records: A new offence for altering records with attempt to prevent disclosure.
  • Information breach: Companies will now have an obligation to report any breaches to user's personal information within 72 hours of a breach. 

The GDPR comes into effect  for all EU member states from 25 May 2018, so companies have a little less than a year to get themselves ready for the changes.

As we hear more about this we'll keep you updated.


Andrew London

Andrew London is a writer at Velocity Partners. Prior to Velocity Partners, he was a staff writer at Future plc.