Security

UK may fine tech companies millions if they can't protect your data from a breach

The UK government's plans to update its data protection laws could result in fines for companies that neglect to properly secure and manage user data.

Through its newly-proposed Data Protection Bill, the UK government could fine tech companies that mishandle customer data. Outlined in a government press release Monday, the government could fine a company £17 million, or 4% of global turnover, whichever amount is higher.

The fines would be issued by the Information Commissioner's Office (ICO). "Our measures are designed to support businesses in their use of data, and give consumers the confidence that their data is protected and those who misuse it will be held to account." Matt Hancock, minister of state for digital, said in the release.

The original statement of intent for the bill was published in April 2017, and many may recognize it for its association with the "right to be forgotten," a concept that could allow for old or irrelevant information about an individual to be removed from indexed searches and other places online at their request. The goal of the bill is to improve user confidence in how their data is maintained, as some 80% of people believe they don't have full control over their online data, the release said.

SEE: Information Security Certification Training Bundle (TechRepublic Academy)

Along with the right to be forgotten, users can ask social media sites to delete older posts from their childhood as part of the bill, the release said.

Under the new bill, users will have a much easier time withdrawing consent for the use of their personal data, the release said. It will also make it possible for parents and guardians to give consent for the data of their children to be used, if they so wish, the release said.

When it comes to sensitive personal data, the bill will now require "explicit" consent for its use by companies. The phrase personal data will also now include cookies, IP addresses, and DNA as well, the release said.

Users will also now find it easier to require an organization or business to let them know what data of theirs it is holding, and to move their data among different service providers.

"The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world," Hancock said in the release. "The Bill will give people more control over their data, require more consent for its use, and prepare Britain for Brexit."

While the bill definitely has implications for businesses in the UK, its effects could potentially trickle into other markets as well. Companies should prepare their data policies to meet the demands of the new bill, if it gets closer to full approval, and consider adopting the changes more broadly across its operating regions in case similar bills begin to gain steam in other countries.

The 3 big takeaways for TechRepublic readers

  1. The UK's proposed Data Protection Bill could allow the Information Commissioner's Office (ICO) to fine companies that mismanage or improperly secure customer data.
  2. The new bill would include the right to be forgotten, along with requiring explicit consent for use of sensitive personal data.
  3. The bill has implications for businesses in the UK, but also for companies in surrounding areas as its impact could spread.

Also see

cyber.jpg
Image: iStockphoto/10255185_880

About Conner Forrest

Conner Forrest is a Senior Editor for TechRepublic. He covers enterprise technology and is interested in the convergence of tech and culture.

Editor's Picks

Free Newsletters, In your Inbox