The government has announced that it will introduce a new data protection law this summer in the lines of Europe’s General Data Protection Regulation.
The new data protection law will empower citizens to force companies to delete their personal data which will not be limited to social media content.
The upcoming data protection law will bring in stringent guidelines on how companies will manage and store sensitive customer data and will also empower citizens with the right to get their personal data deleted from company servers.
According to Digital Minister Matt Hancock, the law will ‘give people more control over their data, require more consent for its use, and prepare Britain for Brexit’.
What does the new law mean for companies?
Once the new law comes into effect, companies will be required to obtain explicit consent from people before collecting their personal data or storing them for any purpose. Aside from personal information like names, addresses, email addresses, phone numbers and government ID numbers, such data will also include IP addresses, DNA, and cookies.
At the same time, companies will have to respect any customer’s request to have his data amended or deleted from their servers. Consent will not be permanent and citizens will be able to withdraw their consent anytime they wish to do so.
If your company sends out marketing emails and offers discounts or add-ons to customers via email or text, you will need to ensure that only those customers are contacted who have expressly opted in and consented to receive such emails and texts.
“Our measures are designed to support businesses in their use of data, and give consumers the confidence that their data is protected and those who misuse it will be held to account,” Hancock added.
The new data protection law will also be as consistent as possible with the GDPR so as to enable businesses to carry out trade across the borders without worrying much about regulatory differences.
What if you fail to comply?
If any company fails to comply with the new law, resulting in a breach that compromises customer data, the Information Commissioner’s Office will have the power to issue fines of up to £17m, or 4% of the company’s global turnover.
While it seems straightforward, it is going to be a race against time for companies that hold large amounts of customer data. The upcoming law will require companies to have a clear approach to data collection and storage and to know where such data is stored so as to delete or amend them whenever requested by customers.
At the same time, companies will have to strengthen their cyber security protocols so as to avoid cyber attacks or data breaches. Businesses in the UK are already suffering financial losses because of cyber attacks but regulatory fines mandated by the data protection law may make a number of businesses unsustainable.
The Zurich SME Risk Index survey has revealed that as many as 875,000 small and medium businesses in the UK suffered cyber breaches in the last twelve months.The survey also revealed that while 21 percent of SMEs suffered over £10,000 in losses, 11 percent of them said that cyber breaches have resulted in losses of over £50,000 in the period.
Despite facing financial losses, half of all SMEs that Zurich surveyed said that they would not spend more than £1,000 on cyber security over the next twelve months. If they need to comply with the upcoming data protection law and avoid huge fines and public embarrassment, their approach needs to change.
‘With fines of £17 million or 4 per cent of global turnover for noncompliance, good data management just became an essential for all consumer-facing businesses. The price of non-compliance could be fatal,’ says Greg Hanson, VP of EMEA cloud at Informatica.
Hanson adds that businesses must ensure that any data that is subject to the new law can be easily accessed and deleted. They need to implement powerful automated data management strategy and map out their entire databases since humans cannot process such data all the time with perfect accuracy.
‘With the introduction of these new laws and the upcoming GDPR, it is essential that organisations are taking all the necessary steps to ensure that they are compliant with these regulations or else risk facing devastating consequences, not only from a financial perspective but for their reputation too,’ says Peter Carlisle, VP of EMEA at Thales e-Security.
The new data protection bill is set to be tabled and discussed in the Parliament in the first half of September. The first draft of the bill will be released to the public next month.