News story

Data laws made fit for the digital age

Tough new laws to give people more control over their data and how it is used have come into force today.

Data Protection

People will now be able to move their personal data between service providers such as WhatsApp and Facebook to rival social media platforms. This includes taking account settings and information, including contacts, profile photos, and group names.

People will have the right for their personal data held by companies to be erased when they turn 18. They will also be able to demand an organisation discloses all the personal data it holds on them more easily and, for the first time, for free.

The Data Protection Act 2018 will force companies to use people’s personal data responsibly or risk millions of pounds in fines. These could run into billions of pounds and be as much as four per cent of a firm’s global turnover.

The Act will support UK businesses and organisations as we prepare to leave the European Union.

Minister for Digital and the Creative Industries Margot James said:

Today marks a milestone in the internet era, with new laws to put power back in people’s hands so they can be sure the information they share online is safe.

The Information Commissioner has been given the tools she needs to make sure organisations are held to account when they misuse or compromise data, but she has been clear they will be applied proportionately and adequately to help businesses prepare.

Starting today, people will be able to: - Get more information about how organisations will use and share their data

  • Withdraw consent for the use of their personal data more easily

  • Require an organisation to disclose the personal data it holds on them more easily – and, for the first time, for free

  • Move data between service providers such as rival social media platforms

  • Benefit from tougher cybersecurity rules, and the right to be told when their data is breached and the breach is sufficiently serious

  • Ask for their personal data held by companies to be erased in a wider range of circumstances, including when they turn 18

  • Benefit from a new age-appropriate design code that will help websites understand the needs of children and young people online.

The Information Commissioner’s Office (ICO) has been granted new powers to act swiftly when people’s data has been breached and allow her to hold rogue companies to account. This includes being able to:

  • Issue fines of up to £17 million or 4 per cent of global turnover for the most serious data breaches

  • Demand access to an organisation’s premises to carry out ‘no notice’ inspections without a warrant

  • Request a court order to force someone to share information, with the prospect of criminal convictions when this is not followed.

The Government will shortly publish a consultation on exemptions to paying ICO fees to ensure the regulations remain appropriate in the new regime.

Notes to editors

  • Organisations which hold and process personal data are urged to follow ICO’s guidance freely available from the Information Commissioner’s Office. Its dedicated advice line for small organisations has received more than 8000 calls since it opened in November 2017, and the Guide to the GDPR has had over one million views. The regulator also has a GDPR checklist, and 12 steps to take now to prepare for GDPR.

  • This guide explains the General Data Protection Regulation (GDPR) to help organisations comply with its requirements

  • Under the Data Protection Act, data controllers must have one of six legal bases for their processing activities. Consent is one such basis. The other five are: contractual necessity; vital interest; legal obligation; public interest and legitimate interest.

  • This is part of Government’s work to strengthen the UK’s data protection laws and make them fit for the digital age.

Published 25 May 2018