23 May 2018
Elizabeth Denham welcomes the new Data Protection Act 2018 alongside the GDPR. Organisations and data protection professionals could use this as an introduction to the new Act.
Nearly a year after its announcement in the Queen’s speech, the Data Protection Bill has worked its way through parliament with much debate and, with Royal Assent, is ready to move into UK law as the new Data Protection Act 2018.
As the data protection authority for the UK, we are eager to embrace the changes it brings and begin regulating the new UK and EU legislation that, from 25 May, will make our country one of the world’s most progressive data protection regimes.
The previous Data Protection Act, passed a generation ago, failed to account for today’s internet and digital technologies, social media and big data.
The new Act updates data protection laws in the UK, and sits alongside the General Data Protection Regulation (GDPR) which is also due to take effect in two days’ time. The Act implements the EU Law Enforcement Directive, as well as extending domestic data protection laws to areas which are not covered by the GDPR.
The UK’s growing digital economy relies on consumer trust to make it work. The Act, along with the GDPR provides a modernised, comprehensive package to protect people’s personal data in order to build that trust.
Our personal data is a version of each of us – what we’ve done, what we’ve read, where we’ve been and who is in our network. It is our health status, our financial decisions, our political beliefs and affiliations. Our desire to book a flight, update our browser, or sign up for a service should not be governed merely by terms and conditions set by an organisation. Life is too short to decipher fine print.
The new laws provide tools and strengthened rights to allow people to take back control of their personal data.
The legislation requires increased transparency and accountability from organisations, and stronger rules to protect against theft and loss of data with serious sanctions and fines for those that deliberately or negligently misuse data.
And although the ICO will be able to impose much larger fines - this law is not about fines. It’s about putting the consumer and citizen first. Telling people we can’t lose sight of that.
The creation of the Data Protection Act 2018 is not an end point, it’s just the beginning, in the same way that preparations for the GDPR don’t end on 25 May 2018. From this date, we’ll be enforcing the GDPR and the new Act but we all know that effective data protection requires clear evidence of commitment and ongoing effort.
It’s an evolutionary process for organisations –no business, industry sector or technology stands still. Organisations must continue to identify and address emerging privacy and security risks in the weeks, months and years beyond 2018.
As long as there is data protection law the ICO is here to help. We have a whole host of guidance and resources on our website and we’ll keep doing the same job we’ve always done, offering advice, guidance and education for everyone who needs it.
Governed by these laws, organisations will have the incentive and the opportunity to put people at the heart of their data services. Being fair, clear and accountable to their customers and employees, organisations large and small will be able to innovate with the confidence that they are building deeper digital trust.
|Elizabeth Denham was appointed Information Commissioner in July 2016. Her key goal is to increase the UK public’s trust and confidence in what happens to their personal data.|