Today a new Data Protection Bill has been announced that aims to update existing laws, the news has caused a stir among the tech industry, as it aims to empower customers, and make businesses accountable for their use and protection of data.
The bill aims to grant greater powers to withdraw customer consent, and also to the power for customers to request that their data be returned to them.
Government action in regard to data protection is encouraging, given that news of massive breaches that expose vast numbers of people has become common place. The data protection bill will apply further pressure to businesses that are currently failing to provide adequate protection from cyber attacks and carelessness.
The proposed bill is also set to usher in the GDPR era, the new regulation arriving is less than a year’s time that will slam organisations with crippling fines if they do not have their data protection measures and processes in place.
The UK is committed to protecting privacy
Mark Thompson, head of privacy advisory at KPMG said: “Today’s statement of intent by the Government shows that the UK is committed to protecting the privacy of individuals’ data and the way it is processed. This commitment also sends a strong message that the UK will have resilient data protection regimes, post-Brexit.”
“This does however provide some challenges for business in terms of getting their houses in order, but, ultimately, this now means that privacy needs to be at the core of their business strategies.”
Companies can start afresh
Rashmi Knowles, Field CTO, RSA said: “The new refresh will give consumers much more control over what data they are handing over to companies and how this will be used, which is a positive step not just for consumers but for companies too. Companies can now start afresh and have an opportunity to cleanse their data and engage customers. Yet this is not to say the changes will be easy to implement.”
“Previously, the DPA only protected PII, and had a much narrower definition of what this constituted. Companies who are already complying with the DPA, or those who have already started on their GDPR journey, have a head start but there is a long road ahead. It is vital companies understand the changes and prepare accordingly to ensure they manage their business risk. For instance, under the new regulations PII will encompass areas like ethnic, genetic, and pseudonomised data – i.e. data that can be easily unscrambled to determine PII, such as an email address, IP addresses, or biometrics.”
Raising the bar for businesses
Bharat Mistry, principal security strategist at Trend Micro said: “With the planned overhaul of UK data protection laws, the bar has been raised for businesses in the cybersecurity stakes. The expansion of personal identifiable information to include IP addresses, DNA and cookies is going to be no easy task for businesses to identify and protect. What’s more, they’ll need to have both an effective consent policy in place, and know exactly where this data is held should a consumer exercise their right to be forgotten. And this doesn’t just to apply to businesses themselves, but any third party partners that might be processing their customer data, meaning there are a lot of plates to spin.
“The winds of change are coming; businesses don’t own the rights to consumer data anymore, and it’s no longer theirs to misfile in the corporate network, or lose to a hacker. With data ownership shifting back to the consumer, any business that isn’t complying with GDPR, and the overhauled protection laws, is denying consumers of the fair, transparent internet that they deserve.”
Automated data management is essential
Greg Hanson, VP EMEA cloud, Informatica said: “UK companies must have a comprehensive view over all the relevant data they hold if they are to comply with the new Data Protection Bill. If a customer triggers their ‘right to be forgotten’ and the business doesn’t have a comprehensive data management strategy, it can’t guarantee to delete all the necessary information. With fines of £17 million or 4 per cent of global turnover for non-compliance, good data management just became an essential for all consumer-facing businesses. The price of non-compliance could be fatal.”
“As a result, UK businesses need to identify which data will be subject to the new law and ensure that it can be easily accessed and deleted if needs be. To do this, they should map out all their data across the whole organisation, no matter where it is stored. Many companies have built up vast databases of personal information over the years, so an automated data discovery system is essential – humans can’t process it all in time.
“A powerful automated data management strategy is essential if UK businesses are to gain the deep insight they need to ensure they are compliant.”
A once in a decade opportunity
Matthew Smith, CTO of Software AG said: “The introduction of the UK’s Data Protection Bill shows that the government is serious about enforcing data best practice, transferring the European Union’s General Data Protection Regulation (GDPR) into UK Law.”
“The current Data Protection Act (DPA) was created in 1998 before ecommerce, online banking and social media really became popular. People’s demands for the privacy of their data has changed and this new regulation reflect that. With breaches and hacking featured on the news on an almost daily basis, the public now expect their data to be properly protected. However, this is only achievable if organisation have clear guidelines to work to.”
“Companies must take data protection seriously to remain competitive in today’s digital landscape. Regulations and sanction need not be seen as squashing innovation or more red tape, indeed it is a real opportunity to overhaul IT processes and make your company more efficient. The Data Protection Bill and GDPR is a once in a decade opportunity to refresh working practice and jump-start innovation.”
The process needs to start now
Sarah Armstrong-Smith, Head Continuity & Resilience at Fujitsu UK & Ireland said: “With the GDPR set to become UK law through today’s Data Protection Bill, it’s important companies take a first step by assessing how GDPR ready they are. From data inventory scans which locate the relevant data held today, to assessing the maturity of current data protection practices – the process needs to start now to ensure compliance.”
“This legislation is about organisations taking responsibility in a digital age where data is the new currency. Whether they are private or public sector, every organisation must establish GDPR-compliant policies for processing personal data, including how they handle data erasure and rectification. GDPR readiness will oblige organisations to carry out thorough preparation, to set up the processes necessary for compliance, as well as supporting alignment of their systems and services with GDPR’s requirements.”
The golden age of free data is over
Iain Chidgey, VP and General Manager International at Delphix said: “The golden age of free data is over and the Data Protection Bill means the regulator finally has teeth. Data privacy is emerging as a basic human right.”
“The introduction of punitive sanctions shows the UK is serious about protecting the public and enforcing data best practice. Companies that don’t do enough to protect consumers personally identifiable information (PII) face genuine penalties that will make them think twice. In fact, it is planning to go even further than the legislation put in place by the EU’s General Data Protection Regulation (GDPR).”
“People’s demands for the data privacy have changed. With data breaches and criminal hacking an everyday part of modern society, the public expect their data to be protected. However, change won’t happen overnight.”
The UK is getting ahead of the curve
Kirill Kasavchenko, Principal Security Technologist, EMEA at Arbor Networks said: “The world is becoming increasingly digitised, which means that personal data is often collected every single day. Whenever data is collected and stored, there is always a risk that it might be vulnerable to a cyber threat. So it’s great to see the UK getting ahead of the curve, with an ambition to legislate the most robust set of data laws in the world.”
“Any responsible company will see measures that empower individuals to have agency over their own data as a good thing. Some companies might face a huge challenge getting internal policies up to speed in the short-term, but the long term protection these regulations will bring for clients, customers and prospects will be worth the initial efforts. The security industry have long advocated storing only essential data – organisations operating within the UK will now be compelled to review how data is gathered, stored, processed and shared. Doing so will make it that bit harder for cyber criminals to target UK companies.”