The British Government has had enough. The past several years have seen a large and growing number of high-profile data breaches with every year breaking the last year’s records in total number of attacks and total number of compromised records. Even so, a shockingly low number of companies seem to have gotten the memo that the game is changing around them. They’re just not doing enough, or moving quickly enough to secure their data and that of their customer base.
To that end, the British Parliament has proposed a new Data Protection Bill. If passed, it would give the government the authority to levy fines against companies that fail to take appropriate measures to protect themselves from cyberattacks, and it should be noted that those fines are hefty. If the bill becomes law, companies could take a hit of up to $22 million, or four percent of their global turnover, whichever amount is higher. “The data protection bill will not be published in full until the end of the summer recess, and is expected to be voted on in the current parliamentary term.” theguardian
“Under government plans, individuals will have more control over their data by having the “right to be forgotten” and can also ask social media companies such as Twitter and Facebook to delete their personal data.” wired
Matt Hancock, the Digital Minister, said, “Our measures are designed to support businesses in their use of data and give customers the confidence that their data is protected and those who misuse it will be held to account.”
The primary provisions of the bill include:
• Making it easier for users to move their own data between service providers
• Expanding the definition of “personal data” to include IP addresses, internet cookies and DNA
• Enabling parents to give consent in order for their child’s data to be used by any third party
• Requiring explicit consent before handling or processing any individual’s sensitive data
• Allowing individuals to request that any data held by a corporation to be deleted from their system
• Simplifying the process by which an individual can withdraw consent for the use of personal data
As the growing number of successful data breaches indicate, a majority of companies are either struggling with the notion of controlling the data they collect, or not caring enough to bother.
While it remains to be seen whether the British Government’s approach is the right one, it is, at least, a step. It is a first attempt at creating an incentive for companies to take data security much more seriously than they currently do, and that’s a very good thing.