27 Mar 2017 UK Government’s Digital Strategy and data protection
The Government’s Digital Strategy, published at the beginning of this month, provides some encouraging indications that regulation in this area will continue to be a priority in the UK post-Brexit.
A key stated objective of the Digital Strategy is to improve public trust and confidence in the use of data, enabling the UK to provide a ‘world-leading’ data economy and to take full advantage of the opportunities offered by data analytics, artificial intelligence and the internet of things. To this end, the Strategy will include a review of existing data protection offences, with stronger punishments for ‘deliberate and negligent re-identification of anonymised data.’
Indeed, we are already seeing draft legislation that will form part of this strategy, such as the Digital Economy Bill and the General Data Protection Regulation.
The Digital Economy Bill aims to implement:
– broadband connectivity of minimum 10Mbps throughout the UK
– an increase in the criminal penalty for online copyright infringement from 2 years to 10 years in prison
– a Direct Marketing Code to protect consumers from spam emails and nuisance calls.
Central to the Strategy is data protection, and the Government has confirmed that the EU General Data Protection Regulation (GDPR) will be implemented in the UK before May 2018, and so will become part of domestic law well before Brexit.
Businesses should take note of the strengthened duties under the GDPR, and start to prepare for them now, as they will almost certainly affect all businesses to some degree.
In preparation for this, the Information Commissioner’s Office has this month released draft guidance on obtaining consent under the GDPR. The giving of consent under the GDPR must be “unambiguous”, through either a “statement” or “clear affirmative action”. Businesses must keep good records of consent and provide clear and simple ways for people to withdraw their consent at any time. Specific provisions proposed in the draft guidance are:
– opt-out consents will be no longer be valid; this includes the provision of pre-ticked opt-in boxes
– affirmative opt-in consents must therefore always be obtained
– consents must be kept separate from other terms and conditions
– consents should not be a pre-condition of signing up to a service
– businesses must be able to prove when and how consents were obtained and what information individuals were given at the time.
It has been suggested that the majority of businesses will need to obtain new consents to replace those taken prior to the GDPR coming into force in order to comply with the new requirements. For instance, the last of the obligations listed above means that businesses will need to be able to provide detailed records of each consent and the circumstances in which it was given.
There is currently a public consultation on the draft guidance underway, which will close on 31 March with finalised guidance due in May. Businesses are strongly advised to use the next twelve months to ensure that they have systems in place for compliance with the new regime.
Please do not hesitate to contact us on email@example.com or 07887 810020 if you would like further assistance or advice in this area of law.