The UK government has published its new Data Protection Bill. The bill, launched into the House of Lords yesterday and published in full today (PDF), aims to overhaul the UK’s data protection laws and update them for the digital age. It will also prepare UK businesses for life post-Brexit, by aligning UK data protection directives with those of the EU’s new GDPR (General Data Protection Regulation), which comes in the effect in May 2018. A few months ago, we took a look at some of the key new directives of the GDPR and the measures organisations will need to take to ensure they remain compliant and avoid fines. Here we return to the topic, to see which measures have made it in to the new Data Protection Bill:
New Right Of Access and Data Portability
In our post last month, we highlighted that, under the new GDPR, ‘data subjects can ask the Data Controller for a copy of any personal data being processed at any time. The Data Controller must supply them with copy of the personal data, free of charge, in an electronic format. The data must come back to them in ‘a structured and commonly used and machine-readable format’
The new Data Protection Bill confirms that ‘a data subject is entitled to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed, and where that is the case, access to the personal data and the information set out in subsection.’ It also, as protected, states that ‘The controller must take reasonable steps to ensure that any information that is required by this Chapter to be provided to the data subject is provided in a concise, intelligible and easily accessible form, using clear and plain language.’
As predicted, accessibility is the name of the game. The bill of the overview, under the section ‘What are we going to do’, the bill states ‘Empower people to take control of their data.’ Our Online Document Storage and Cloud collaboration tools would make fulfilling this compliance simple and easy, as opposed to trawling through files.
Privacy by Design
The new Bill has a section titled ‘Data protection by design and default’ as part of the Chapter outlining the responsibilities of the Data Controller. This chapter states that ‘Each controller must implement appropriate technical and organisational measures which are designed— (a) to implement the data protection principles in an effective manner, and (b) to integrate into the processing itself the safeguards necessary for that purpose.’ It also states ‘Where a controller is required by any provision of this Chapter to implement appropriate technical and organisational measures, the controller must (in deciding what measures are appropriate) take into account— (a) the latest developments in technology,’ – amongst other considerations.
Controllers and processors must be utilising the latest technologies to ensure operational efficiency and security.This is also supported by the opening statement of the Bill which states ‘In implementing the GDPR standards, the Bill will require organisations that handle personal data to evaluate the risks of processing such data and implement appropriate measures to mitigate those risks. For many organisations such measures will likely need to include effective cyber security controls.’ Privacy measures must demonstrably be a part of Data Controllers organisational structures. Our Technology and Document Management services, such as Cyber Security auditing and management, Document Shredding, Managed Print Services and secure, online Document Storage – amongst many others – can help you build security into your operations, using tools such as password encrypting files and PIN-required printing.
Right to be Forgotten
As in the GDPR, ‘Right to erasure’ exists as a directive under the new bill. In the new Bill, the controller must erase personal data without undue delay if there is any infringement of the six data protection principles, the rules surrounding archiving or the rules surrounding the processing of sensitive information, principles such as the data processing must be consented, its purpose explicitly stated, it must not be excessive beyond its stated purpose, it must be secure and and it must be accurate. Our cyber security team can work with your organisation your cyber security standards are compliant and provide a cost-effective strategy for managing your cyber security moving forward. We also provide a secure data disposal services, which securely disposes of digital and magnetic media and provides you with a certificate of destruction.
Increased Territorial Scope
The GDPR applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. If you’re situated abroad but handling an EU individual’s data, then you have to be GDPR compliant. Looking forward to post Brexit, the new Bill states the same. The Data Protection Law applies to any controllers or processor ‘established’ in the UK. It also applies to any controller or processor if they’re established outside of the UK, but the data they’re processing is that of an individual who is in the UK at the time of processing.
Data Protection Officers
As in the GDPR, ‘The controller must designate a data protection officer, unless the controller is a court, or other judicial authority, acting in its judicial capacity.’ The GDPR states that the DPO ‘Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge’ and the new Data Protection Bill also states that the DPO must have access to all the necessary resources in order to be able to ensure compliance, liaise with the Information Commissioner also raise awareness amongst staff of the policies of the Data Protection Bill. Resources such as our Cloud Computing, Document Storage and Digital Communication services would allow your DPO to do their job easily and efficiently.
Peers of the House of Lords will have opportunity to discuss the bill in October.
To speak one of our Cyber Security or Document Management experts, and find out how they can ensure you remain compliant, email email@example.com or call 0870 890 0020.