The expert view Davey Winder
Overall, I think that the Data Protection Bill will be a positive force: not only for protecting the rights of individuals when it comes to the collection and use of personal data, but also in bolstering cybersecurity implementation for businesses large and small. The threat of potentially fatal fines for a business should they fall foul of the new law will help focus security spend where it can be most effective. Regulatory compliance will therefore hopefully move from being, as far as security is often concerned, a checkbox affair to a truly business-critical consideration.
That’s not where the positives end, either: giving ordinary people more control over how their data is used is always a win. Likewise making it a “recordable offence” to alter personal data in such a way that it doesn’t have to be disclosed under the terms of the bill. The legal obligation to allow individuals to withdraw consent, and request deletion of data, is long overdue.
The negative creep begins with what is left out, or blurred by the 100+ pages of explanatory notes. The bill makes the re-identification of anonymised data an offence; something that could see many security researchers fall foul of the law. Especially when you consider that vagueness already exists regarding what is exactly “in the public interest”, and continues within the scope of this bill.
Currently, I could be committing a crime for both discovering a security vulnerability in the first place (responsibly disclosing this to the company concerned) and going public with it after nothing is done to fix it within three months.
Then there’s the conflicting implications of the Investigatory Powers Act (IPA) to take into account. I’m pretty sure that the Government won’t be asking for explicit permission to snoop on citizens it’s suspicious about, nor giving them the right to delete the data so collected...