The small business guide to the Data Protection Bill 2017

The Data Protection Bill 2017 marks the introduction of a raft of new measures intended to give consumers more control over their data – and it has huge implications for small businesses.

Here, we’ll explain some of the contents of the Bill, and what they could mean for SMEs.

Remember, this article is just an overview and you should conduct your own thorough research. Always seek professional advice if you’re unsure about your legal responsibilities.

What is the Data Protection Bill 2017?

The Data Protection Bill is a new set of laws designed to bring the existing Data Protection Act up to date. The old Act hasn’t been updated since 1998 and since then the definitions and uses of personal data have changed significantly.

The Bill, which comes into force in 2018, will also write into UK law new EU rules known as the General Data Protection Regulations (GDPR). The UK is introducing the changes in order to retain equivalence with the EU after Brexit and to ensure that data can be moved between the UK and EU after this date, but the Data Protection Bill 2017 also goes further in its requirements of social media companies.

What is GDPR?

The General Data Protection Regulations (GDPR) is a set of new EU rules governing the use of personal data. It is a major update to the law in this field, and has implications for businesses of every size. Read more in our comprehensive guide to GDPR for small business.

What does the Data Protection Bill 2017 mean for small businesses?

The Data Protection Bill includes a range of measures intended to broaden the scope of protection for personal data. For a full guide to the changes coming in 2018, it’s recommended that you read the introduction to GDPR above.

The Bill includes measures in the following areas:

- Definitions. The definition of personal data will be broadened significantly when compared with the 1998 rules, in order to include new types of data. For example, ‘personal data’ will now include cookies, IP addresses, and even individuals’ DNA.

- Consent. Currently, it is common for businesses to force users to opt out of being added to mailing lists, for example by clicking a checkbox. From next year, consent will have to be given explicitly before details are collected. Furthermore, consent can be withdrawn at any time.

- Right to be forgotten. If your small business collects data on consumers, you will need to provide ways for them to contact you and ask for it to be removed. Consumers will receive more power over the ways in which their information is held and wiped.

- Processing. If your business automates the processing of data in any way, for example data collected through job applications, you will have to rethink this from next year. As a result of the Data Protection Bill, individuals will have the right to insist that their data is processed by a human, rather than automatically – a potentially huge change for businesses of every size.

- Portability. Consumers will also receive the right to move their data easily and without hindrance between companies and providers.

- New offences. Finally, and perhaps most importantly for businesses, the penalty regime for data offences is changing significantly. As a result of the new laws, businesses could be in receipt of fines of up to £17 million, or four per cent of their turnover, for offences under the Act. In addition, two new criminal offences are being created: one for when individuals are re-identified from anonymous data, and a second for data tampering.

What are the implications of the Data Protection Bill 2017 for your business? Let us know in the comments below.

Is your business insured?

475,000 UK policies. Plus, a 9/10 satisfaction score. Why not take a look at our expert business insurance options - including public liability insurance and professional indemnity - and run a quick quote to get started?

Start your quote