What Does The UK’s Data Protection Bill Mean For Business?

The UK recently published the final version of a law to replace its current data security and privacy rules.

The Data Protection Bill (DPB) will allow UK businesses to continue doing business with the EU post-Brexit. The DPB should provide a relatively easy transition for businesses gearing up for the forthcoming EU legislation.

In May 2018, the GDPR will become the data security and privacy law in the EU. UK organisations have been preparing to meet these new rules, including the right to erasure, 72-hour breach notification, and stricter record keeping requirements.

The DPB should, in theory, provide an easy transition for UK businesses after March 2019, the tentative date for the UK leaving the EU. Why? Because the DPB is effectively the General Data Protection Regulation, it’s referenced directly in the law.

Complexities

However, it’s worth noting that the DPB is not a simple piece of legislation.

A large segment of the bill is devoted to exemptions, restrictions, and clarifications that supplement the language in GDPR.

The core of the bill is found in Part 2, wherein these various tweaks are laid out including; for personal data related to health, scientific research, criminal investigations, employee safety, and public interest. The actual fine print is buried at the end of the DPB in a long section of “schedules”.

For example, GDPR legislation related to the right to erasure, data rectification, and objection to processing, doesn’t apply to investigations into financial mismanagement or public servants misusing their office. In effect, the targets of an investigation lose control of their data.

While the goal of Brexit may have been to escape EU regulations, the Data Protection Bill essentially keeps the rules in place.

Differentiations

There are also a few surprises in the new UK law.

The DPB grants regulators at the UK’s Information Commissioner’s Office (ICO) new investigative powers through “assessment notices”. These notices allow the ICO staff to enter the premises of an organisation, examine documents and equipment, and observe processing of personal data. Effectively, UK regulators will have the ability to audit an organisation’s data security compliance.

Under the existing UK data law, the ICO can only order these non-voluntary assessments against government agencies, such as the NHS. The DBP expands mandatory data security auditing to the private sector.

If the ICO decides the organisation is not meeting DPD compliance, these audits can lead to enforcement notices that point out the security shortcomings along with a schedule of when they should be corrected.

The ICO also has the power to issue fines of up 4% of an organisation’s worldwide revenue. This is the same level of monetary penalties as in the original GDPR.

For UK companies (and UK-based multinationals) that already have security controls and procedures in place, the DPB’s rules should not be a difficult threshold to meet. However, for companies that have neglected basic data governance practices, particularly for the enormous amounts of data held in file systems, the DPD will come as a surprise.

Information Age:

You Might Also Read:

A 9-Step Guide For GDPR Compliance:

UK Deal With EU On Post-Brexit Data Sharing:

GDPR - 10 Things You Must Know:

 

« Thomson Reuters Create A Knowledge Meta-Graph
Social Media & Crisis Management »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Willis Towers Watson

Willis Towers Watson

Willis Towers Watson is a global risk management, insurance brokerage and advisory company. Services offered include Cyber Risks insurance.

Attivo Networks

Attivo Networks

Attivo Networks is an award winning provider of deception for in-network threat detection, attack forensic analysis, and continuous threat response.

Siepel

Siepel

Siepel manufactures high quality shielded rooms and anechoic chambers dedicated to TEMPEST, NEMP & HIRF.

BSA - The Software Alliance

BSA - The Software Alliance

BSA is the leading advocate for the global software industry before governments and in the international marketplace.

Kivu Consulting

Kivu Consulting

Kivu Consulting combines technical and legal expertise to deliver data breach response, investigative, discovery and forensic solutions worldwide.

IPQualityScore (IPQS)

IPQualityScore (IPQS)

IPQS anti-fraud tools provide a real-time fraud score to analyze how likely a user or visitor is to engage in fraudulent behavior.

Kippeo Technologies

Kippeo Technologies

Kippeo is a security systems integrator providing innovative solutions that look at all the parameters and connect all the dots.

VS Security Products

VS Security Products

VS Security Products design, manufacture and sell the most extensive range of degaussers and data destroyers on the market, suitable for all types of magnetic media.

Haechi Audit

Haechi Audit

Haechi Audit is a leading smart contract security audit firm. We provide the most secure smart contract security audit and smart contract development services to our global clients.

European Healthcare Fraud & Corruption Network (EHFCN)

European Healthcare Fraud & Corruption Network (EHFCN)

EHFCN is the only organisation dedicated to combating fraud, corruption and waste in the healthcare sector across Europe.

Cyber@StationF

Cyber@StationF

Cyber@StationF is an up to 6 months international startup acceleration programme, whose members provide solutions for the Cybersecurity industry.

Cryptika

Cryptika

Cryptika is a fully integrated IT security and managed services provider, specialized in Next-Generation Cyber Security Technologies.

SignalSEC

SignalSEC

SignalSEC provides vulnerability intelligence, malware analysis, penetration testing and associated training services.

HTX (Home Team Science & Technology Agency)

HTX (Home Team Science & Technology Agency)

HTX brings together science and engineering capabilities to transform the homeland security landscape and keep Singapore safe.

Pixee

Pixee

Pixee fixes vulnerabilities, hardens code, squashes bugs, and gives engineers more time to focus on the work that counts.

RapidFort

RapidFort

RapidFort’s Software Attack Surface Optimization Platform remediates 95% of software vulnerabilities in minutes without code changes.