A new Data Protection Bill will allow people to ask for personal data to be deleted and give them the ‘right to be forgotten’.
The Bill will transfer the EU’s General Data Protection Regulation into UK law. Implementation is set to be next May.
Firms that flout the new law will face much bigger fines – up to £17m or 4% of global turnover. The current maximum fine is £500,000.
The details are hazy, and the Bill has come under attack as sounding the ‘death knell’ for smaller firms.
Despite the lack of detail, there are major implications for letting and estate agents.
For example, cold calling will be banned without explicit prior consent of individuals who will have to opt in to be put on lists.
They will also have to be made aware that their information is being passed on to others.
There are also possible concerns about automated processes, which consumers can demand be done by a real person.
The situation regarding tenants’ references is so far unclear.
Lawyer David Smith yesterday afternoon told EYE that he doubted whether tenants would have the right to see their references and control the data within, but cautioned: “It is a bit too early to tell.”
In principle, though, all clients, present and past, will be able to request that you no longer use their data at any given time, and will be able to ask exactly what information you hold on them and how it is being used.
Digital minister Matt Hancock said the new Bill “will give us one of the most robust, yet dynamic, set of data laws in the world”.
He said: “It will give people more control over their data, require more consent for its use, and prepare Britain for Brexit.”
Proposals contained in the Bill, which will replace the Data Protection Act 1998, include:
- Making it simpler for people to withdraw consent for their personal data to be used.
- Giving people the right to ask for removal of social media posts they might have come to regret.
- Enabling people to ask any organisation holding personal data, such as their names, to delete it.
- Requiring firms to obtain ‘explicit’ consent when they process sensitive personal data.
- Expanding personal data to include IP addresses and internet cookies.
- Enabling people to get hold of the information organisations hold on them much more easily.
- Making it a criminal offence to identify people from anonymised data or who have used pseudonyms.
- Making it a criminal offence if organisations are found tampering with data which an individual has asked to see.
Information Commissioner Elizabeth Denham said: “We are pleased the Government recognises the importance of data protection, its central role in increasing trust and confidence in the digital economy and the benefits the enhanced protections will bring to the public.”
However, there are concerns that businesses – which will need to review their current systems, train staff and be able to retrieve historic data quickly if asked to remove it – are not being given enough time to prepare.
The Forum of Private Business yesterday warned that the new regime will sound the death knell for smaller businesses.
It said that “a lack of clarity on what small businesses can and cannot do in terms of data use will lead to inertia through fear of breaking the new rules”.
It said only larger businesses with in-house compliance experts or the money to employ consultants would be able to cope.
It added: “The way many small businesses operate in today’s world relies on electronic communication with existing and prospective customers.
“Many businesses rely on email lists for their marketing, and the prospect of obtaining overt consent, and maintaining consent records, is one that many businesses will simply not be able to cope with.”