New UK data protection laws, designed to align UK laws with European laws (GDPR) for Brexit and beyond, will give people more control over how companies use their data, including the ‘right to be forgotten’.
What Is The Right To Be Forgotten?
The concept of the ‘right to be forgotten’ in data privacy dates back to EU guidelines proposed in January 2012. In this context, it refers to an individual’s right to request that a company / organisation deletes all data / information that it holds about them (where there is no compelling reason for its continued processing). The idea is that the individual then has more control over exactly who has access to their personal data, and can thereby increase their privacy, potentially reduce security risks, and stop any annoying / unwanted / unsolicited communications from businesses and other organisations.
According to the ICO, this doesn’t mean that an individual has a absolute ‘right to be forgotten’, but does have the right to have their personal data erased and to prevent processing in specific circumstances:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
- When an individual withdraws consent.
- When an individual objects to the processing, and there’s no legitimate reason for continuing the processing.
- Where the personal data was unlawfully processed (in breach of the GDPR).
- Where personal data has to be erased to comply with a legal obligation.
- Where personal data is processed in relation to the offer of information society services to a child.
New Proposals In The Bill
With the new UK data protection laws, the proposals in the bill will now make it simpler for people to withdraw agreement for their personal data to be used; let people ask for data to be deleted; oblige firms to get unequivocal consent when they process sensitive personal data; widen the definition of personal data to include IP addresses, DNA, internet cookies; let people have the information that organisations hold about them more freely; and, criminalise instances of revealing identities anonymised or pseudonymised, whether intentionally or recklessly.
Onus On Firms
These new laws are designed to force the companies / organisations behave responsibly in their use of data.
The EU’s General Data Protection Regulation (GDPR) will come into force in May 2018. The law places the burden of responsibility very much on companies to protect information gathered at all cost. Failure to protect data will mean that companies will face serious fines (imposed by the UK’s Information Commissioner’s Office).
UK firms whose data has been seriously breached can be fined up to £17m in the new bill proposal. Currently, the maximum fine for breaking data protection laws is £500,000.
Beyond The “Right To Be Forgotten”
The new law goes further than the "right to be forgotten" rules that are already being applied to search engines – those that affect what can be listed in search results. This time, dealing with the GDPR and associated legislation that will impact upon data held by a wide range of companies.
ICO Strengthened Too
The new law has also strengthened the powers of the UK’s Information Commissioner’s Office to help impose it.
The Uk’s Information Commissioner Elizabeth Denham is reported to be pleased with this development as it shows the government recognises the importance of data protection, its main role in increasing trust and confidence, and the benefits the new bill proposals will bring to the public.
What Does This Mean For Your Business?
Many businesses in the UK are only just getting to grips with how they can equip themselves to comply with GDPR, so the fact that there is a similar new set of regulations is going to mean more work and complication (and associated costs) in making sure that they are prepared.
There have already been worrying reports in the media this year that the legal profession is geared up and ready to work on behalf of those who feel that they have a case to take action against companies that don’t comply with the news laws e.g. through not knowing them well enough or not responding quickly enough to customer requests regarding how their personal data held / used by that company.
Indeed, the chairman of The Federation of Small Businesses, Mike Cherry, has reportedly voiced his worry that many small companies have no idea how the proposed law will affect them, and that this may open up small businesses to the risk of big fines.
Clearly, businesses need to act quickly to learn about how exactly the new UK law (and GDPR) apply to them and what measures, systems, expertise and resources need to be put in place / employed / bought-in to ensure compliance and avoid fines.