The UK government has realised what we have known for years, that technology is changing so fast, the legal system cannot keep up.
In an effort to change this, the UK government is updating its data protection policy. The Data Protection Bill builds on the Data Protection Act of 1998, and the EU General Data Protection Regulation (GDPR) is designed to give users better control over their data and for the first time has realised that data is a valuable commodity.
So what are the key changes? Well, the first thing to know here is that I am not a lawyer (nor would ever pretend to be one). So consider this update a very quick crib note of the main points. I STRONGLY suggest that if you are in the UK you read the entire bill and talk to your local legal advisor.
With that being said, here are the main policies being implemented as part of the Data Protection Bill:
- Privacy: There has been the addition of stronger consent rules that mean consent needs to be unambiguous and easy to withdraw. This will mean the end of reliance on opt-out tick boxes so that users know what they are signing up for.
- Improved data access: The bill makes it easier for users Individuals will find it easier to access information that organisations hold about them at no charge.
- Data portability: Changes make it easier for users to move between service providers and to move their data along with them. e.g. email and file storage services need to make it possible (and easy) to move that data.
- Right to be forgotten: The controversial one, users will be able to ask for their personal data to be erased. This also includes the ability for a user to request that posts on social media be removed. In particular, posts that users made as children.
- Profiling: Users can have input into decisions that are made about them based on automated processing. Where decisions are based solely automated processing individuals can request that processing is reviewed by a person rather than a machine.
There are also a number of data protection safeguards being put in place:
- Civil sanctions: Larger fines of £17 million or 4% of turnover will be allowed for cases of data breaches (currently the max fine is £0.5 million).
- Identification: This is a big one, it is now an offense for companies that intentionally to recklessly re-identify individuals from anonymised data. The maximum penalty would be an unlimited fine.
- Altering records: It is now an offense to alter records in an attempt to prevent disclosure (to be honest, I thought this was already an offense).
- Information breach: Companies will now have an obligation to report any breaches to user’s personal information within 72 hours of a breach.
These changes are significant and a massive step int he right direction. As digital marketers, we need to be fully up to date with any data protection laws in our countries.