In May 2018, the EU General Data Protection Regulation (GDPR) is due to come into force in the UK, which will replace the Data Protection Act 1998.
The GDPR will widen the definition of ‘personal data’ to include data that relates to an ‘identifiable’ natural person, as opposed to just an ‘identified’ person. This means data may be ‘personal’ even if the organisation holding the data cannot itself identify a natural person. It also brings in provisions for the ‘right to data portability’, allowing an end user to request all data held about them; and a ‘right to be forgotten’.
Legal frameworks provide specific protections for customers on how data is obtained, handled and exchanged. However the landscape is evolving very rapidly. Data is sensitive and regulation needs to avoid playing catch-up with technology, or introducing unintended consequences to the market. Emerging regulatory and technological developments mean that there are future concerns for protecting individuals’ privacy which in turn raises questions about civil liberties.