The government released an outline for its new Data Protection Bill this morning, telling businesses that it would reduce their exposure to risk of data protection breaches as long as they became more responsible.
It said it would “build accountability but with less bureaucracy”, by alleviating the administrative and financial burdens on data controllers while making them more accountable for the data being processed.
Under the proposed new legislation, organisations carrying out “high risk data processing” will have to carry out an impact assessment to understand the risks involved, and how to prevent inappropriate usage.
“We will offer further clarity and certainty to businesses whilst they continue to collect, share and process personal data – in so doing maintaining the UK’s world-renowned culture of innovation, promoting economic growth and cementing the UK’s position as a global leader in the digital economy,” the government's statement of intent read.
Businesses will have to notify the information commissioner within 72 hours of a data breach taking place, if that breach risks an individual's “rights and freedoms”. If there is a high risk, businesses must notify the individuals affected.
Although the government has said it is trying to pursue business-friendly data protection legislation, firms may be in for a bigger sting in the tail if they contravene any rules.
It has promised to create two new criminal offences of “intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data” and “altering records with intent to prevent disclosure following a subject access request”. Fines could be unlimited.
“The proposed changes will require businesses to sharpen up their data protection processes. Organisations need to take action now to ensure they are adequately capturing, integrating, certifying, monitoring and of course, protecting their data,” said Patrick Booth of big data specialist Talend.
Christopher Coughlan, head of data protection and privacy at law firm Ashfords, added:
The government's ambition for the data science sector to thrive is encouraging for everyone involved in data businesses.
The Information Commissioner has today reemphasised the fact that the Data Protection Bill will make organisations more accountable for their data processing activities, with data privacy being a priority for her office. Her statement should be seen as a warning shot to organisations to get their houses in order.
The new legislation has been motivated by the European Union's General Data Protection Regulation. It defines data controllers as the organisations which say how and why data is processed, while processors are those who act on the controller's behalf.