10th August 2017
In the light of this week’s news about the data protection bill, companies need to act now and proactively work towards compliance with proposals in the bill as they become clearer. Smart companies in the digital economy are setting the standard not just for safe secure WiFi, but for data protection and data security, confident of full compliance before the May 2018 deadline when the European Union’s GDPR will become UK law.
The Data Protection Bill outlined by Digital Minster Matt Hancock aims to give weight to accountability on data protection and to address the balance between digital freedom and responsibility online.
Data Protection in a fast moving and changing digital world has a history and is constantly evolving. The Data Protection Act (DPA) of 1998 established a legal framework for the use of personal data and was widely considered a gold standard, later reinforced with further powers in 2010 and strengthened more recently with the Digital Economy Act 2017 which made it easier to enforce the law against nuisance calls.
The new data projection bill will repeal and replace the old DPA entirely, therefore avoiding the confusion that can occur when new laws are put on top of old ones. The new bill introduces tougher constraints on consent for use of personal data, rights of access to data and people’s right to erase personal data. Enforcement of these is to be strengthened as Data Protection Law is brought more up to date with today’s digital world. Failure to comply will result in fines to businesses, and the burden is very much on firms to act now and implement new policies and procedures in accordance with proposals in the bill.
As the Digital Minster states, the EU General Data Protection Regulation (GDPR) and the Data Protection Law Enforcement Directive (DPLED) are being implemented to ensure people are in full control of their own personal information whilst at the same time allowing innovative digital businesses to grow and continue to bring massive benefits to the UK economy.
One of the key features of GDPR is ‘consent’ and giving people a clear choice on how their data will be used and whether they agree to this. Proactive organisations are acting now to implement procedures which give individuals genuine choice and control over their own personal data.
The log in access journey for WiFi services is where changes are being made, giving people positive opt-in or opt-out options with links to concise and clear Privacy Policies and Terms and Conditions. Along with guidelines organisations should be avoiding any consent as a precondition of service. Consent requires a positive opt-in from people without the use of pre-ticked boxes or any other method of consent by default. Processes and procedures should also make it easy for people to withdraw consent and tell them how to do it.
Terms and Conditions for WiFi services need to be crystal clear on what data is being collected, the reasons why, the intended usage of such data and the ability of the public to opt-in for any marketing, as well as providing them clear instructions on how they can opt-out at any time.
Major points of compliance include:
Many companies, particularly small businesses, are not prepared for the rigorous data protection legislation coming into force in May 2018. Proactive organisations should be implementing policies and procedures now, and continue to respond and implement changes early as more detailed information becomes clear from the bill regarding data deletion requests, how users can get hold of information more freely, and what an expansion of personal data to include IP addresses and small text files called cookies will mean.