The new UK Data Protection Bill announced last month surprised many and, for a while at least, has put the issues of user consent and data privacy top of the agenda for many British businesses.
However, the Bill, which if passed will bring the EU's General Data Protection Regulation (GDPR) into British law, is primarily motivated by a need to reduce uncertainty ahead of Britain's exit from the EU.
We do not yet know the full legal implications of the new Bill, but it is likely to replicate the EU GDPR, which comes into effect in May 2018, in its entirety.
The GDPR requires any business that processes data of EU citizens to comply with stricter privacy rules. It is intended to bring greater control and transparency to data privacy, and give consumers the power to exercise fundamental privacy rights.
Without the Bill, British consumers might have been considerably worse off than their European counterparts post-Brexit. This would also have been hugely problematic for British businesses who would have had to comply with two different sets of data privacy rules.
Having inconsistent data laws across the UK and Europe would undoubtedly have been a nightmare scenario for businesses and would certainly have had a negative impact on organisations choosing to operate in the UK. The Data Protection Bill is therefore great news for businesses that want to operate or continue operating across the UK and Europe, as it means they only have to worry about complying with one set of privacy rules.
Businesses should be proactive about data protection
Beyond reducing Brexit uncertainty, the UK's new data protection laws should also help to bring about a significant change to the way in which individuals and organisations manage and handle personal data. However, in order to consumers to really feel the benefits of the regulations, technological and policy changes within businesses will also be needed.
The new law comes with some pretty significant incentives for compliance. The potential fine of £17m or up to four per cent of global annual turnover (whichever is higher) should certainly motivate most organisations to take the changes seriously.
However, there is also a broader benefit for those companies that can adapt effectively to the new regulations. By embracing this new model for privacy and consent, businesses can also build more trusted relationships with their customers and establish better, more profitable long-term relationships.
With consumers increasingly savvy about who has access to their data, better data protection and well executed consumer controls are likely to be a significant competitive advantage in the future.
Being in control can be confusing
Once passed, the Data Protection Bill will give end users far more control over who and what should have access to their data. However, having more control could easily prove confusing for many people, who simply aren't use to making detailed decisions about consent and privacy issues.
For instance, the new proposals will give individual users the power to make informed decisions about a series of important issues, including data sharing, service registration and data revocation.
This will necessitate major changes in both technology and mindset; organisations will need to think beyond compliance and implement changes to make this process simple and easy to use for customers - or they will risk frustrating the people they are supposed to be empowering.
Transparency will foster trust and customer loyalty so service providers must be careful not to overload end users with complex consent, revocation and data management questions, causing more confusion rather than confidence.
Internal changes will be essential
Businesses will have to make adapt at a technical and organisational level in order to comply with the new regulation. For instance, organisations might require a data privacy/protection officer (DPO) to ensure compliance and to oversee new processes, including internal audits surrounding data and security practices.
More organisations will also need to introduce new technologies and systems to allow for additional features such as progressive user profiling. This will be necessary to ensure that companies only request customer data when a customer signs up for a service and their information is specifically needed. Furthermore, technologies need to be implemented to allow end users to give consent to the parties who can have access to data, and to export or remove data when required.
Although primarily created to reduce Brexit uncertainty, the Data Protection Bill is a major step forward for the UK. If it is implemented effectively and businesses approach it as a genuine opportunity to improve customer relationships then it could genuinely lead to a more consumer-focused era for personal data and privacy.
Simon Moffatt is director of product management at digital identity and access management software company ForgeRock
Nintendo plans to manufacture up to 30 million Switch consoles next year
Kaspersky no longer legal on US public sector networks
Not even masses of patches for Adobe Flash this month
Joint venture mended following sale of Toshiba Memory Corporation to Bain-led consortium