In a radical update of the Data Protection Act from 1998, the overhaul of UK data protection laws announced earlier this month will introduce the EU’s General Data Protection Regulation (GDPR) into British law.
Although we do not yet know the full legal implications to the new bill, the regulatory objectives are likely to replicate GDPR in its entirety.
The GDPR, which comes into effect in May 2018, requires any business that processes data of EU citizens to comply with stricter privacy rules. It aims to bring more choice and control to data privacy, and enable the exercise of fundamental privacy rights of people, thus putting them back in control of their personal data.
However, with Britain’s exit of the EU fast-approaching, British consumers might have been considerably worse off than their European counterparts when it came to control over their personal data, as would British businesses who would have had to comply with two different sets of data privacy rules.
Having inconsistent data laws across the UK and Europe could quickly have become a compliance nightmare and would undoubtedly have had an impact on whether organisations choose to operate in the UK.
For businesses that want to operate or continue operating across the UK and Europe, the Data Protection Bill means they only have to worry about complying with one set of privacy rules.
The new UK law is therefore great news for consumers and businesses as it takes away some of the uncertainty around Brexit and means that essentially the same rules will apply.
Thinking beyond compliance
The newly announced bill is likely to put the issue of user consent and data privacy front and centre for many British businesses.
However, genuinely changing the way in which individuals and organisations manage and handle personal data will require technological as well as regulatory change, and this will create a set of new challenges for British businesses.
Compliance needs to be taken seriously for two reasons. First, the heavy fine of £17m or up to 4 per cent of global annual turnover should be enough of an incentive for more organisations.
More positively, companies who comply with the new rules will also be able to reap the rewards by build trust and improving their customer relationships, thereby giving themselves significant opportunity for growth.
How organisations approach these regulations will have an enormous effect on company performance and customer experience. For instance, better data protection and well executed consumer control will be major differentiating factors and can become a competitive advantage.
More control, more confusion?
For consumers, the immediate effect will be increased assurances from service providers that they have control about who and what has access to their data. However, having more control of personal data could easily prove confusing for many people.
For instance, in order for the new proposals to succeed, an individual user needs to be able to make informed decisions about a series of important issues, including data sharing, service registration and data revocation.
This will necessitate major changes in both technology and mindset from organisations and businesses who today often see consent simply as a tick-box compliance exercise.
It is therefore important that service providers are careful not to overload end users with complex consent, revocation and data management questions, causing more confusion rather than confidence. Instead keeping it simple and understandable is key. Transparency fosters trust and customer loyalty in turn.
The technical challenge of implementing new rules
Organisations will have to make a number of internal changes in order to comply with the new regulation. Businesses might require a data privacy/protection officer (DPO) to oversee new processes, including internal audits surrounding data and security practices, and to ensure compliance.
It is also likely that companies will need to introduce innovative technologies and systems to allow for additional features such as progressive user profiling. This kind of feature is necessary to ensure companies only request customer data when a customer signs up for a service and their information is specifically needed.
Additionally, technology which would allow end users to give consent to the parties who can have access to data, and technology which enables the customer to export or remove data, needs to be implemented.
>See also: The era of increased data protection rules
The Data Protection Bill is a huge step in the direction of a more consumer-centric approach to using personal data. However, legislators must also make sure that the bill is future-proofed so that it can be applied to new technologies and methods of interaction.
The Internet of Things (IoT) is already leading to the creation of devices and services that cannot easily be accessed and managed through conventional methods and any regulatory changes will need to take into account the rapid pace of innovation within this space to avoid further disruption for businesses in the future.
Sourced by Simon Moffatt, director of Product Management, ForgeRock
The UK’s largest conference for tech leadership, TechLeaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here