The Biggest & Best Portal to the Professional Property, Workplace and Built Environment Community

Sunday, 25 February

Do You Do Data? EU GDPR to Enter British Law

In a statement of intent (made on Monday 7), the government has committed to updating and strengthening data protection laws through a new Data Protection Bill.

The data protection regulator, the Information Commissioner’s Office (ICO), will also be given more power to defend consumer interests and issue higher fines, of up to £17 million or 4 per cent of global turnover, in cases of the most serious data breaches.

Matt Hancock, Minister of State for Digital said: Our measures are designed to support businesses in their use of data and give consumers the confidence that their data is protected and those who misuse it will be held to account.

"The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world. The Bill will give people more control over their data, require more consent for its use. We have some of the best data science in the world and this new law will help it to thrive."

 

Clearer rules

Data protection rules will also be made clearer for those who handle data but they will be made more accountable for the data they process with the priority on personal privacy rights. Those organisations carrying out high-risk data processing will be obliged to carry out impact assessments to understand the risks involved.

The Bill will bring the European Union’s General Data Protection Regulation (GDPR) into UK law, helping Britain prepare for a successful Brexit.

 

At a personal level

Research shows that more than 80 per cent of people feel that they do not have complete control over their data online.

Under the Bill, individuals will have more control over their data by having the right to be forgotten and ask for their personal data to be erased. This will also mean that people can ask social media channels to delete information they posted in their childhood. The reliance on default opt-out or pre-selected ‘tick boxes’, which are largely ignored, to give consent for organisations to collect personal data will also become a thing of the past.

 

The Data Protection Bill will:

  • Make it simpler to withdraw consent for the use of personal data.
  • Allow people to ask for their personal data held by companies to be erased.
  • Enable parents and guardians to give consent for their child’s data to be used.
  • Require ‘explicit’ consent to be necessary for processing sensitive personal data.
  • Expand the definition of ‘personal data’ to include IP addresses, internet cookies and DNA.
  • Update and strengthen data protection law to reflect the changing nature and scope of the digital economy.
  • Make it easier and free for individuals to require an organisation to disclose the personal data it holds on them.
  • Make it easier for customers to move data between service providers.

New criminal offences will be created to deter organisations from either intentionally or recklessly creating situations where someone could be identified from anonymised data.

Elizabeth Denham, Information Commissioner, said: “We are pleased the government recognises the importance of data protection, its central role in increasing trust and confidence in the digital economy and the benefits the enhanced protections will bring to the public.”

Julian David, CEO of techUK, said: “This statement of intent is an important and welcome first step in that process. techUK supports the aim of a Data Protection Bill that implements GDPR in full, puts the UK in a strong position to secure unhindered data flows once it has left the EU, and gives businesses the clarity they need about their new obligations."

 

Network and Information Systems

The Network and Information Systems directive (which the UK and all EU members have 21 months to bring in to national laws) is likely to be incorporated in to the Bill (or as an adjunct).

The Directive requires:

  • Member States be appropriately equipped, e.g. via a Computer Security Incident Response Team (CSIRT) and a competent national NIS authority.
  • Cooperation among all the Member States, by setting up a cooperation group, in order to support and facilitate strategic exchange of information. They will also need to set a CSIRT Network, in order to promote swift and effective operational cooperation on specific cybersecurity incidents and sharing information about risks.
  • A culture of security across sectors which are vital for economy and society and moreover rely heavily on ICTs, such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure. Businesses in these sectors that are identified by the Member States as operators of essential services will have to take appropriate security measures and to notify serious incidents to the relevant national authority. Also key digital service providers (search engines, cloud computing services and online marketplaces) will have to comply with the security and notification requirements under the new Directive.

Justin Coker, Vice President EMEA at Skybox Security comments: “A UK consultation is welcome on NIS because, to comply, many organisations will need to review their own systems to keep pace with its requirements. The government is saying severe fines will be levied unless an organisation can prove it assessed the risks adequately. But, too often there is no visibility of where the threats and vulnerabilities are.  The attack surface is now more complex than ever, so organisations need to move away from traditional thinking and develop a clear picture of the long-term security goals and plan the security program in a structured and logical way.

“Protecting and securing critical digital national infrastructure presents a real challenge because end-to-end access analysis must be done across hybrid IT and Operational Technology networks. To do this, organisations must obtain accurate visibility of the assets, security controls, policies and any potential vulnerabilities – the attack surface.  They need to know when their security has been compromised and redress attack vectors before they can be exploited.”

Picture: The government is to strengthen UK data protection law and thus bring the European Union’s General Data Protection Regulation in to British Law

Article written by Cathryn Ellis

Share



Related Articles

What's Up Docs?

A Google spokesperson has told ThisWeekinFM: “We realise people are concerned about their Google accounts and we're now able to give a fuller explanation after...

 Read Full Article
If Dolly Can Be Hacked, What About The Hand Dryer?

  Connected toys with Bluetooth, wi-fi and mobile apps may seem like the perfect gift for Christmas. But Which? has found that, without appropriate safety...

 Read Full Article
Yahoo Cyber Breach Was Bigger

Yahoo has announced (week ending Oct 6) that it is providing notice to additional user accounts affected by an August 2013 data theft previously disclosed by the company...

 Read Full Article
Logins Could be a Rotten Affair

Relying on 'auto-fill' to complete the login process for websites as well as storing bank card details to shopping sites such as eBay and Amazon can make for...

 Read Full Article
Get Safe Online Week 2015

The UK public has been left feeling vulnerable following an increase in highly personalised cybercrimes according to Get Safe Online, the joint public private internet...

 Read Full Article
Count-down to Disaster - NCA Opens Two Week Window to Prevent UK-wide £Millions Fraud

The UK's national Crime Agency (NCA) yesterday announced a two week opportunity to reduce a threat from a powerful new computer attack. It urged businesses and...

 Read Full Article
Andromeda Strained - International Cyber Op Dismantles Botnet

On November 29, the Federal Bureau of Investigation, in close cooperation with the Luneburg Central Criminal Investigation Inspectorate in Germany, Europol’s...

 Read Full Article
McDonalds Security Contractor In 'Remove Your Hijab' Scandal

Thursday evening, November 30, McDonalds Restaurants discovered the hard way that a relationship with a contractor - in this case, employing cheap, untrained security...

 Read Full Article
Uber And The Cyber Nightmare Ride

In an unprecedented move, the National Cyber Security Centre has commented specifically on the Uber data breach - with a coded reference to the fact that Uber tried to...

 Read Full Article
FTSE 350 - General Data Protection Awareness Good

The Government will soon be introducing its new Data Protection Bill to Parliament. With this almost certain to come into effect next May, implementing the General Data...

 Read Full Article