GDPR to become law regardless of Brexit, as UK data regulation gets overhauled

Under new proposals outlined by the government, consumers can legally ask businesses to delete personal data they submitted when they were children

The general data protection regulation (GDPR), new pan-European legislation that concerns how larger businesses hold and use information on consumers, will become UK law in May 2018 and thereafter – regardless of the UK's decision to leave the European Union, the government has announced.

In whats been described as a “complete overhaul” of the UK's data protection laws, new legislation drafted by digital minister Matt Hancock will see a range of new data rules be introduced – including the already-planned GDPR.

Giving new powers to UK consumers, the general public will be able to legally ask businesses to delete personal data they submitted when they were children

Proposals included in the bill will:

  • Make it easier for people to withdraw consent for their personal information to be used
  • Allow people to ask businesses to delete personal data they may hold
  • Require businesses to obtain “explicit” consent when they process sensitive personal data
  • Expand personal data to include IP addresses, DNA and small text files known as cookies

Businesses that fail to adhere to the new rules will face hefty fines, with those that ignore GDPR potentially facing a punishment fine of 4% of their annual turnover or a flat fee of £17m.

In contrast, the current maximum fine firms can suffer for breaking data protection laws is £500,000.

However, businesses can argue to keep hold of personal information, should it be of “historical or scientific importance”, meaning consumers may not always get their way.

Under GDPR, which is now woven into the governments own bill, businesses with over 250 staff must appoint a data protection officer.

Designed to ensure firms hold and handle consumer data safely, securely and responsibly, all businesses who operate in the data management business, regardless of size, will have to comply with at least some of the regulations.

Handcock said:

“The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world.

“It will give people more control over their data, require more consent for its use, and prepare Britain for Brexit.”

Elizabeth Denham, the information commissioner, said:

“We are pleased the government recognises the importance of data protection, its central role in increasing trust and confidence in the digital economy and the benefits the enhanced protections will bring to the public.”

Jason Hart, CTO data protection at Gemalto and former ethical hacker, said:

“This overhaul of UK data protection law is a crucial step towards updating the UK’s approach to cybersecurity.

“By putting control of their personal data back in the hands of consumers, the pressure is on for businesses to ensure they are adhering to data protection laws. Those that don’t risk losing consumer trust.

“Incorporating the incoming GDPR legislation into UK law is an important step, as it will dispel any uncertainty businesses had around its fate post-Brexit.

“With the deadline for compliance fast approaching, there is now no reason for UK businesses not to be moving towards meeting these data protection laws.”


(will not be published)