The eraser sculpture in the sculpture garden in Seattle.
The UK grants citizens the right to request their data be forgotten and erased in proposed data laws. PHOTO: Christmas w/a K

British citizens could request organizations to erase personal data and ask social media providers to delete old posts from their childhood under the United Kingdom’s proposed data protection regulations.

The proposed Data Protection Bill aims to toughen Britain’s existing Data Protection Act of 1998 when the new legislation goes before the British parliament later this year or early in 2018.

But fear not, marketers. You can still use personal data to send personalized offers and messages to prospects and customers.

Higher Fines, Stricter Permissions

The first such overhaul in nearly two decades, the proposed laws will govern the use of personal data in the UK and give individuals more direct control over their personal data and how enterprises use it.

Matt Hancock, the UK’s minister of state for digital, issued a statement of intent (PDF) that details changes Monday.

The sweeping new laws would also give the UK’s data regulator much sharper enforcement teeth. 

For example, under the existing Data Protection Act, fines for companies that suffer data breaches currently top out at £500,000 (about $650,000). Under the proposed new provisions those fines could jump as high £17 million (about $22 million) or 4 percent of a company’s global revenues, whichever is higher.

Another planned change is that organizations will be prohibited from using pre-checked "consent" boxes in electronic agreements that force users to de-check them to opt out of giving organizations permission to use their personal data.

Redefining Personal Data

Wondering what that personal data includes? According to the statement of intent, the very definition of personal data will be broadened considerably to reflect the realities of today’s digital world:

“Personal data is information that is attributable to an individual and may help to identify them. We will expand the definition of ‘personal data’, reflecting the growth in technology over the past 20 years to include IP addresses, internet cookies and DNA,” the statement reads. 

As for rights for citizens to their data, the proposed rules refer to this as the "right to be forgotten," with some exemptions.

"Individuals," the rules would say, "will be able to ask for their personal data to be erased. This will include provision to allow people to require social media platforms to delete information they posted during their childhood. In certain circumstances, individuals will have the ability to ask social media companies to delete any or all of their posts."

Data Breaches Taken Seriously

The proposed new regulations will also force companies to disclose data breaches to the authorities within 72 hours of their occurrence “if the breach risks the rights and freedoms of an individual.” And in cases where the breach is considered high risk, companies must now bear the responsibility to inform the individuals themselves.

However, the intent of the new bill is not to be anti-business. For example, it does not preclude businesses from using personal data to design personalized advertising. 

“[It] will bring our data protection laws up to date," Hancock wrote. "It will both support innovation by ensuring that scientists and businesses can continue to process data safely. It will ensure that we can remain assured that our data is safe as we move into a future digital world based on a system with more accountability…”

Post-Brexit Plans

Hancock also pointed out that these rules are being designed with the UK’s exit from the European Union in mind. 

In the wake of last October’s "Brexit" vote to leave the European Union, there was initial confusion about whether organizations might be able to bypass the EU’s General Data Protection Regulation (GDPR) regulations simply by domiciling their data in Britain.

However, Britain will still be a full member of the EU when the GDPR rules go into effect next year, and Hancock makes clear in his statement that even post-Brexit, the UK will continue to adhere to the EU’s GDPR framework.

Steering Clear of Over-Regulation

In fact, Britain intends to incorporate the data privacy element of EU law into its domestic law so that it will apply afterwards:

“Bringing EU law into our domestic law will ensure that we help to prepare the UK for the future after we have left the EU,” the statement reads. “The EU General Data Protection Regulation (GDPR) and the Data Protection Law Enforcement Directive (DPLED) have been developed to allow people to be sure they are in control of their personal information while continuing to allow businesses to develop innovative digital services without the chilling effect of over-regulation.”

Building Confidence 

In fact, some British companies are insisting that there be parity between the UK and the EU. Lawrence Jones, chief executive of British data hosting and cloud computing specialist UKFast, argues that the UK’s laws must be at least equal in strength to the levels of protection offered by the GDPR.

“In light of Brexit we have been calling on the UK government to deliver legislation at least equal to the GDPR, so it’s reassuring to see Matt Hancock announce these measures to implement the EU law today, Jones said in remarks published on his company’s website

“Strong regulations like this help us to build confidence and to trade in the valuable currency of data, but the opportunity will only be realized if we maintain the same standards and inspire the same level of confidence in potential partners across the globe,” Jones added.

“We need to ensure the right safeguards are in place once we leave the EU in order to maintain and then strengthen our position.”

Leading the Digital Economy of Europe 

The UK has a great deal to lose by not addressing digital and data issues strategically and proactively. One key reason is that, of the 30 cities ranked by the European Digital City Index as the best places for tech startups, nine are in UK, with London topping the list.

There is a lot built into the UK’s proposal that’s designed to protect and enhance the UK’s position as a digital leader and tech hub. 

For instance:

  • Individuals will find it easier to require organizations to disclose any personal data it holds on them.
  • Customers will find it easier to move data between service providers.
  • Individuals will be able to request that their personal data be erased.
  • Individuals will have a greater say in decisions that are made about them based on automated processing.

Small Businesses Still Worry

Even with the statement of intent, many businesses, especially smaller ones, are still unsure what the proposed Data Protection Bill legislation will mean for them.

In a response to the statement of intent posted on the Federation of Small Businesses website, Mike Cherry, the organization’s national chairman, agreed that for most small businesses, the scope of the GDPR regulations has yet to sink in.

“Small businesses need to get ready for the introduction of General Data Protection Regulation (GDPR), and today’s statement provides a bit more information,” he declared.

“However, for almost all smaller firms, the scope of the changes has not even registered on their radar. They simply aren’t aware of what they will need to do, which creates a real risk of companies inadvertently facing fines.”

In the UK alone, Cherry added, there are 5.5 million small businesses that could be affected.