Earlier this month the UK introduced a new Data Protection Bill that gives citizens more control over their online data, and raises the fines that the Information Commissioner’s Office (ICO) will be able to levy from its current maximum of £500K to up to £17M or 4 per cent of global turnover. The new legislation appears to support the UK government’s previous commitment to remain in line with the EU’s GDPR as it implements Brexit. Essentially, the bill makes GDPR UK law, which the government believes is necessary to ensure continuity through Brexit.
Like GDPR, individuals will have the “right to be forgotten” and have personal data erased. According to the official press release from UK Digital Minister, Matt Hancock, Minister of State for Digital, “The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world. The Bill will give people more control over their data, require more consent for its use, and prepare Britain for Brexit.” The release specifies that the bill will:
- Make it simpler to withdraw consent for the use of personal data
- Allow people to ask for personal data held by companies to be erased
- Enable parents and guardians to give consent for their child’s data to be used
- Require ‘explicit’ consent for processing sensitive personal data
- Expand the definition of ‘personal data’ to include IP addresses, internet cookies and DNA
- Make it easier and free for individuals to require an organization to disclose the personal data it holds on them
- Make it easier for customers to move data between service providers
Foreshadowing for U.S. companies?
While both GDPR and its forthcoming UK version impose far more strict guidelines on customer data than any current U.S. legislation, U.S. companies have every reason to be as preoccupied with complying with the new laws as their UK and EU counterparts. To start with, any U.S. company operating in either the UK or EU can be subject to the same oversight and fines–in other words, any company that has operations, or aspires to have operations in the UK or EU must comply with this law.
Additionally, this is likely a foreshadowing of things to come. Australia has already passed its own version of GDPR, and it’s only a matter of time before Canada adopts something similar. And even if the current administration moves toward deregulation, the odds are that a future administration will move in the direction of the UK, EU, and Australia.
Need for end-to-end control over customer data
For companies on all sides of the pond, what this really spells is a need for an enterprise data management strategy designed to gain complete control over all customer data. This is going to require some work, as many companies currently don’t even have full insight into all the customer data they have stored in various departmental siloes, much less the ability to retrieve it or prove that it’s been deleted.
One of the most difficult kinds of customer information to manage is data associated with communications taking place through numerous customer touch points. With the number of communications channels rapidly expanding to include IM, social media, encrypted messaging apps and more conversations happening on collaborative tools that allow simultaneous group communication, the task of capturing, indexing, and retrieving customer data becomes increasingly daunting. Companies need solutions that automate these processes as much as possible, and they also need to ensure that they can to scale their storage to handle an influx of data.
With all of the indicators showing that most companies on all sides of the pond aren’t anywhere near ready to comply with GDPR, and that the process can take years, U.S. companies would be wise to start now. To learn more how Actiance can help your company meet the requirements of GDPR and the UK Data Protection Bill, visit https://www.actiance.com/solutions/regulatory-compliance/. Also, check out our GDPR infographic here.