The new Data Protection Bill has got one or two throwing their hands in the air and saying, ‘what’s the point?’ Firstly, they argue that GDPR will fail to have any authority in the UK a mere nine months after it becomes law here, and second, as with any EU regulation it must apply to all member states.
As such, by definition it can only extend itself to the lowest common denominator. Surely as a soon to be independent state, we can do so much better, can’t we?
Don’t get me wrong, I am strongly in favour of GDPR. It is hard to believe that our current prevailing legislation, the Data Protection Act, was written in 1998. It has had so many tweaks and changes since its creation that a wise man would have bought shares in Elastoplast many years ago.
The Privacy & Electronic Communications Regulation (PECR) was brought in to deal with the digital explosion, but even that was written in 2003. When you consider all that has happened in the last 15 years, it is pretty amazing that no new data legislation has been introduced. So, the UK has long needed a new set of data laws and this couldn’t come soon enough.
Some are suggesting that there is a bit of political posturing going on here and that the Government is only doing this to show Brussels that we ‘can be better without you’.
Well posturing or not, I think that the output of these new regulations will be a public that will have renewed faith on how and what businesses are going to do with their data. The legislation forces companies to be more open, honest and transparent about how they are going to use the data.
Any that fail to abide by the new rules face the prospect of heavy fines: up to £17 million, or 4% of their global turnover. This is a huge increase from the current £500,000 maximum fine under the current Data Protection Act. Take into account the long-term reputational damage a company would also face for non-compliance, or for a data breach, and you have a recipe for disaster.
The right to be forgotten has long been discussed as one of the shining pillars of GDPR, but the UK’s version goes a stage further and makes sure that it is a legal obligation for social media companies to remove all material if they were posted before the person was 18, should they request it. Those of us that led chaste and virtuous lives, of course, have nothing to fear, but this is a small example of what could be done if we apply ourselves.
GDPR, or its home-grown alternative will be good for consumers, good for society and yes good for business. Research suggests that business engagement is at best lacklustre (in part due to Brussels being characteristically vague) but they are set for a rude awakening any day now.
This new spate of coverage by the media should serve as a final reminder to businesses that this boat sailed some time ago. Whilst this will not be a pain free journey for anyone in business, with data harder to acquire, retain and maintain, the prospect of a more positively disposed consumer has got to be a price worth paying.
Mark Roy is chairman of REaD Group