What Does The UK’s Data Protection Bill Mean For Business?

The UK recently published the final version of a law to replace its current data security and privacy rules.

The Data Protection Bill (DPB) will allow UK businesses to continue doing business with the EU post-Brexit. The DPB should provide a relatively easy transition for businesses gearing up for the forthcoming EU legislation.

In May 2018, the GDPR will become the data security and privacy law in the EU. UK organisations have been preparing to meet these new rules, including the right to erasure, 72-hour breach notification, and stricter record keeping requirements.

The DPB should, in theory, provide an easy transition for UK businesses after March 2019, the tentative date for the UK leaving the EU. Why? Because the DPB is effectively the General Data Protection Regulation, it’s referenced directly in the law.

Complexities

However, it’s worth noting that the DPB is not a simple piece of legislation.

A large segment of the bill is devoted to exemptions, restrictions, and clarifications that supplement the language in GDPR.

The core of the bill is found in Part 2, wherein these various tweaks are laid out including; for personal data related to health, scientific research, criminal investigations, employee safety, and public interest. The actual fine print is buried at the end of the DPB in a long section of “schedules”.

For example, GDPR legislation related to the right to erasure, data rectification, and objection to processing, doesn’t apply to investigations into financial mismanagement or public servants misusing their office. In effect, the targets of an investigation lose control of their data.

While the goal of Brexit may have been to escape EU regulations, the Data Protection Bill essentially keeps the rules in place.

Differentiations

There are also a few surprises in the new UK law.

The DPB grants regulators at the UK’s Information Commissioner’s Office (ICO) new investigative powers through “assessment notices”. These notices allow the ICO staff to enter the premises of an organisation, examine documents and equipment, and observe processing of personal data. Effectively, UK regulators will have the ability to audit an organisation’s data security compliance.

Under the existing UK data law, the ICO can only order these non-voluntary assessments against government agencies, such as the NHS. The DBP expands mandatory data security auditing to the private sector.

If the ICO decides the organisation is not meeting DPD compliance, these audits can lead to enforcement notices that point out the security shortcomings along with a schedule of when they should be corrected.

The ICO also has the power to issue fines of up 4% of an organisation’s worldwide revenue. This is the same level of monetary penalties as in the original GDPR.

For UK companies (and UK-based multinationals) that already have security controls and procedures in place, the DPB’s rules should not be a difficult threshold to meet. However, for companies that have neglected basic data governance practices, particularly for the enormous amounts of data held in file systems, the DPD will come as a surprise.

Information Age:

You Might Also Read:

A 9-Step Guide For GDPR Compliance:

UK Deal With EU On Post-Brexit Data Sharing:

GDPR - 10 Things You Must Know:

 

« Thomson Reuters Create A Knowledge Meta-Graph
Social Media & Crisis Management »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

WEBINAR: 2024 and Beyond: Top Six Cloud Security Trends

WEBINAR: 2024 and Beyond: Top Six Cloud Security Trends

April 4, 2024 | 11:00 AM PT: Join this webinar to find out about six emerging trends dominating the cloud cybersecurity landscape.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Kualitatem

Kualitatem

Kualitatem Inc. is an independent software testing and information systems auditing company

Secure Recruiting International (SRI)

Secure Recruiting International (SRI)

SRI is an industry leader in Information Security , Networking, Wireless and Storage recruitment.

CERT-AM

CERT-AM

CERT-AM is the national Computer Emergency Response Team for Armenia.

Pole SCS (Secure Communicating Solutions)

Pole SCS (Secure Communicating Solutions)

SCS is a world-class competitiveness cluster dedicated to digital technologies in the fields of Microelectronics, Internet Of Things, Digital Security, Artificial Intelligence And Big Data.

Exprivia

Exprivia

Exprivia is active in the design, development and integration of IT systems including cyber security.

Thinkst Applied Research

Thinkst Applied Research

Thinkst is an Applied Research company with a deep focus on information security.

CSIRT GOV - Poland

CSIRT GOV - Poland

Computer Security Incident Response Team CSIRT GOV, run by the Head of the Internal Security Agency, acts as the national CSIRT responsible for coordinating the response to computer incidents.

Cog Systems

Cog Systems

Cog Systems offer an embedded solution built on modularity, proactive security, trustworthiness, and adaptability to enable highly secure connected devices.

CipherTrace

CipherTrace

CipherTrace develops cryptocurrency Anti-Money Laundering, cryptocurrency forensics, and blockchain threat intelligence solutions.

Council to Secure the Digital Economy (CSDE)

Council to Secure the Digital Economy (CSDE)

CSDE brings together companies from across the ICT sector to combat increasingly sophisticated and emerging cyber threats through collaborative actions.

Enclave Networks

Enclave Networks

Our mission is to give IT professionals a simple way to rapidly build secure connectivity between any application, computer system, device or infrastructure - regardless of the underlying network.

AwareGO

AwareGO

AwareGO is a global provider of security awareness training content and solutions that help enterprises improve cybersecurity awareness in the workplace.

Quside

Quside

Quside, a spin-off from The Institute of Photonic Sciences in Barcelona, designs and manufactures innovative quantum technologies for a wide range of applications including cyber security.

Zephyr Project

Zephyr Project

The Zephyr Project strives to deliver the best-in-class RTOS for connected resource-constrained devices, built to be secure and safe.

ClearVector

ClearVector

ClearVector is a leading provider of realtime, identity-driven security for the cloud.

Project Cypher

Project Cypher

Project Cypher leverages the latest cybersecurity developments, a world class team of hackers and constant R&D to provide you with unparalleled cybersecurity offerings.