We have great news for anyone who’s ever posted anything embarrassing online. New proposed ‘right to be forgotten’ data laws could be the much-needed antidote to your online woes.
The new Data Protection Bill, which is due to formalise the switch from the Data Protection Act to the General Data Protection Regulation (DGPR), is set to strengthen UK data protection laws and ensure citizens have more control over their own personal data.
Dishing out the dirt
A message released by the UK Government Department for Digital, Culture, Media and Sport suggests that 80% of people feel they do not have complete control over their data online. The new regulations hope to remedy people’s anxiety surrounding the way their data is stored, shared and used.
Under new the new measures:
- People will have the right to ask for their personal data to be erased. Any social media posts can be forgotten whenever requested and at any time.
- Parents will be able to give consent for their child’s data to be used by an organisation.
- The term ‘personal data’ will be expanded to include IP addresses, internet cookies and DNA, as well as genetic, physical, physiological, cultural, location and economical identifiers.
- The right of Access ensures data subjects are able to ask for a copy of any data the organisation may hold, this is called a Subject Access request. The organisation is bound by law to deliver this information within one month and no charge can be made.
- Organisations will be required to encrypt data more often and adopt the pseudonymisation of personal data. The processing of data in this ways means it can no longer be attributed to a specific data subject. However, this process can be reversed using a ‘Secure Key’ when required but only by an authorised person.
What does this mean for you?
You’ll need to have a close look at your company’s data compliance. The way you use your customer’s data will change, meaning you’ll need to have a condition i.e. a reason or a purpose for keeping, sharing and processing the personal data your business is using. Moreover, you’ll be required to keep detailed records about it and should be able to demonstrate you have a set of policies and procedure for upholding the right and freedoms of every data subject you want to contact.
If a company is caught contravening the GDPR it can be charged (fined) or use (Receive a Civil Monetary Penalty (CMP), in other words, a fine of up to £17m or 4% of global revenues – a big leap up from current fines of £500,000.
To avoid any charges, the first step will be auditing the data you own and the way in which it’s managed. Your company will likely also require updated training or a change in your organisation chart. Get in touch with Bigwave now to discuss this further and find out how you can start preparing for the upcoming alterations to the law.