Separate from any European legislation, the UK government is introducing its own ‘Right to be forgotten' to increase people's control over their digital data under a new Data Protection Bill announced today by digital minister Matt Hancock, expected to be introduced in September in preparation for Brexit.
Social media platforms will be required to delete information on children and adults when asked – in a bid to correct a situation where the government's research shows 80 percent of people feel that they do not have complete control over their data online.
The cyber-security industry has welcomed the move, though cautioned that it reinforces the need for companies to know what data they have, where, and be in a position to delete when required, and industry too has welcomed the clarification of the rules. However, Simon Migliano, head of research at Top10VPN.com goes on to add, “... it feels hypocritical for the Government to be trumpeting these new data protection measures while at the same time being responsible for the Investigatory Powers Act, or Snoopers' Charter, that runs completely contrary to these proposals.”
He asks, “Will the government have to ask "explicit" permission to harvest your data? Will you be able to ask them to view or delete the data the government holds on you? I doubt it.”
A government statement notes that reliance on default opt-out or pre-selected ‘tick boxes', which are largely ignored, to give consent for organisations to collect personal data will become a thing of the past. IP addresses are included in the definition of personal data.
Among the new measures, again in line with GDPR, the UK's data protection regulator, the Information Commissioner's Office (ICO), will also be given more power to defend consumer interests and issue higher fines, of up to £17 million or four per cent of global turnover, in cases of the most serious data breaches – hence also seeking extra-territoriality for its measures. Julian David, CEO of techUK said that his organisation, “...supports the aim of a Data Protection Bill that implements GDPR in full, puts the UK in a strong position to secure unhindered data flows once it has left the EU, and gives businesses the clarity they need about their new obligations.”
In a government release, Matt Hancock, minister of state for digital said: “The Bill will give people more control over their data, require more consent for its use, and prepare Britain for Brexit. We have some of the best data science in the world and this new law will help it to thrive.”
The government statement describes how the Data Protection Bill is intended to:
· Make it simpler to withdraw consent for the use of personal data
· Allow people to ask for their personal data held by companies to be erased
· Enable parents and guardians to give consent for their child's data to be used
· Require ‘explicit' consent to be necessary for processing sensitive personal data
· Expand the definition of ‘personal data' to include IP addresses, internet cookies and DNA
· Update and strengthen data protection law to reflect the changing nature and scope of the digital economy
· Make it easier and free for individuals to require an organisation to disclose the personal data it holds on them
· Make it easier for customers to move data between service providers
Also new criminal offences will be created to deter organisations from either intentionally or recklessly creating situations where someone could be identified from anonymised data.
Elizabeth Denham, Information Commissioner, commented: “Data protection rules will also be made clearer for those who handle data but they will be made more accountable for the data they process with the priority on personal privacy rights. Those organisations carrying out high-risk data processing will be obliged to carry out impact assessments to understand the risks involved.”
And in an email to SC, Tom Thackray, CBI Innovation Director, said: “This legislation strikes the right balance in improving standards of protection while still enabling businesses to explore new products and services.”
From within the industry, Greg Day, VP and chief security officer EMEA, Palo Alto Networks emailed SC to say, “This is a crucial time for cybersecurity in Europe as organisations implement GDPR,” adding that the measures, “give welcome certainty and direction to the country's business and cyber-security leadership. ...The UK's forthcoming bill, which will serve to implement GDPR within the UK, makes it clear that this country wants to be a beacon of excellence for how organisations protect and secure personal data, including by preventing successful cyber-attacks, and give individuals control over how their personal data is used.”
Mark Thompson, head of privacy advisory at KPMG agrees saying, “This commitment also sends a strong message that the UK will have resilient data protection regimes, post-Brexit,” going on to observe, “This does however provide some challenges for business in terms of getting their houses in order, but, ultimately, this now means that privacy needs to be at the core of their business strategies.”
Lawrence Jones MBE, the CEO UKFast, said, “In light of Brexit we have been calling on the UK government to deliver legislation at least equal to the GDPR, so it's reassuring to see Matt Hancock announce these measures to implement the EU law today.
“Strong regulations like this help us to build confidence and to trade in the valuable currency of data, but the opportunity will only be realised if we maintain the same standards and inspire the same level of confidence in potential partners across the globe. We need to ensure the right safeguards are in place once we leave the EU in order to maintain and then strengthen our position.
Dan Sloshberg, cyber resilience expert at Mimecast concurred saying: “The new Data Protection Bill reinforces the expectation that the General Data Protection Regulation (GDPR) style compliance is a vital requirement for UK businesses even with Brexit pending. In fact post Brexit, demonstrating accountability around data protection may become a requirement to do business with Europe and its citizens.”
Greg Hanson, VP EMEA cloud, Informatica added a note of caution, emailing SC to warn, “UK companies must have a comprehensive view over all the relevant data they hold if they are to comply with the new Data Protection Bill. If a customer triggers their ‘right to be forgotten' and the business doesn't have a comprehensive data management strategy, it can't guarantee to delete all the necessary information.” Noting the new heavy fines, he adds, “As a result, UK businesses need to identify which data will be subject to the new law and ensure that it can be easily accessed and deleted if needs be. To do this, they should map out all their data across the whole organisation, no matter where it is stored. Many companies have built up vast databases of personal information over the years, so an automated data discovery system is essential - humans can't process it all in time.
“A powerful automated data management strategy is essential if UK businesses are to gain the deep insight they need to ensure they are compliant.”
Colin Truran, principal technology strategist at Quest Software emphasises that, “....businesses need to gain a clear understanding of the scope of the sensitive data their organisation handles, and implement proper processes to protect that data. Having clear insight into what personal data is stored, where it is located, who has access and who is responsible for its maintenance and processing is a critical first step. For many organisations this will be a major challenge, with data stored in multiple silos; often on premises and on various storage devices, as well as in the cloud. Utilising a solution that can collect and centrally store data from multiple systems, devices and silos across the enterprise is a must, as is appointing a data protection officer to guarantee that all employees are educated on how to adhere to GDPR.”
Migliano concludes that while the new protections are “certainly a step in the right direction.,” he advises, “Consumers should not rely on the Government to look after their digital rights and data. Instead they should take responsibility for minimising their digital footprint through a combination of cautious, careful habits and technology, such as using private browsing settings or a VPN.”
David Emm, principal security researcher, Kaspersky Lab also supports individual responsibility and notes how the new Data Protection Bill would grant unprecedented rights for consumers to force social media websites and online companies to delete their data and take back control of their personal information. Consequently he says, “It is important that the general public embraces this new freedom and recognises the value of personal data – not just to ourselves but to would-be cyber-criminals.” He adds, “...it is important that we on an individual level know what information is being kept and how it's being handled – which will also reduce the likelihood of it falling into the wrong hands. Being vigilant online – whether when using a work computer, home laptop, mobile or tablet device – should be second nature. Undertaking simple steps, like regularly changing passwords, reviewing default settings on social media and using anti-virus software across all devices can significantly help protect data.”
In a separate development, a new independent association, The International Data Sanitization Consortium (the IDSC), is being launched tomorrow. The organisation says in a press release it has been established in response to concerns that the UK is four times more likely to allocate no budget to GDPR compliance than colleagues in the US, France and Spain, and that insecure and unreliable data removal methods used by IT Professionals in the UK undermine the ‘Right to be Forgotten' requirement of the new regulation. It says that to properly comply with the GDPR, and avoid fines, IT Professionals should be utilising data sanitisation to erase data, rather than basic deletion or free wiping software.