Data Protection and what the Labour Government should do

July 2024

What should Kier Starmer’s team do about data protection?

After the Conservative Party’s crushing defeat on July 4th, we now have a Labour administration. As the General Election was called, the Data Protection and Digital Information Bill was progressing through Parliament. Although many thought it might be just pass before an Election, the decision by Rishi Sunak to gamble everything on an early election led to the Bill’s abandonment.

The Bill itself was controversial, proposing a mixed bag of changes to data protection and ePrivacy laws. Views within the industry were, it is fair to say, divided.

I’ve asked industry insiders the question; What should the new Government do with UK GDPR, the Privacy and Electronic Communications Regulations (PECR), and AI? Here’s what they say.

Steve Wood, Founder & Director, PrivacyX Consulting and former UK Deputy Information commissioner

“The New Government should firstly take a step back to consider its approach to public engagement on data and AI, particularly with civil society. As they seek to use AI to transform the public sector, a planned and long-term approach to meaningful transparency and engagement is vital. There are good foundations to build on for AI policy and the new Government should look at options to put AI principles on a statutory footing and what additional oversight and coordination is needed to make them effective.

There is scope for a focused AI and Data Bill, learning the lessons of the complexity and confusion in the DPDI Bill and what will really improve the outcomes of the data protection regime – for people and organisations. Changes to GDPR that should remain on table include the new Information Commission reforms, the data protection test for internation transfers and an exemption for analytics cookies.”

You can read more of Steve’s thoughts in his Substack blog – A Digital Policy Memo for the Minister’s Red Box

Chris Combemale, CEO, Data & Marketing Association (DMA)

“The DMA continues to believe that reforming the data protection regime in the UK is fundamental to driving growth, innovation, and wealth creation in the country. Doing so would be a strong sign of the new Government’s commitment to the industry and business.  Amongst the most important reforms for DMA members are:

1. Reforms that establish greater certainty for the use of legitimate Interests as a lawful basis particularly attracting and retaining new customers
2. Reforms that clarify how data can be better used to support scientific research and technology development
3. Reforms that reduce bureaucracy for small business
4. Reforms that enable Smart Data schemes to be introduced in appropriate sectors
5. Reforms that reduce the consent requirements for non-intrusive cookies
6. Reforms that update the law to enable beneficial update of automated decision-making like AI while maintaining strong safeguards

These reforms are consistent with the Labour Policy Forum position and indeed were supported by Labour during scrutiny of the former government’s DPDI Bill. The DMA will work closely with the incoming government to ensure these reforms become law.”

Read Chris’ Open Letter to all political parties

Robert Bond, Senior Counsel, Privacy Partnership Law and Chair, DPN Advisory Group

“The new Government needs to ensure that any changes it makes to our data protection regime do not harm our “adequacy” with the EU. However, I would welcome a review of the reliance on Legitimate Interest as a lawful ground for processing to bolster this useful ground. I would like to see a review of PECR and a proactive focus on practical AI legislation.”

Gerald Coppin, Deputy Group Data Protection Officer, Springer Nature

“I feel a Labour government should work on an international effort to harmonise the data privacy laws across major jurisdictions, it could make it easier for businesses to manage regulatory requirements. They could recommend or mandate techniques like differential privacy, federated learning, and synthetic data generation to enable AI development without compromising individual privacy. As well as expanding regulatory sandboxes that allow companies to test innovative AI applications in a controlled environment, while ensuring privacy safeguards are in place. A reduction in paperwork to prove compliance with the different laws would be MOST welcome!!”

Debbie Evans, Managing Director, FTI Consulting

“I want to be optimistic about change however, it’s not going to be without challenge. Whilst I’m not proclaiming any particular political persuasion – my personal hope is that individual rights are given more visibility. Businesses consequently will need to take compliance more seriously as laws strengthen.”

Eduardo Ustaran, Partner, Hogan Lovells

“My view is that the new UK Government should aim to realise the opportunity to place the UK as a global leader in these areas. The UK is in an ideal sweet spot because it is close enough to the EU’s policy objectives of providing the highest levels of protection for personal data and human rights in the face of today’s AI revolution, but also understands the crucial importance of technological innovation for growth and prosperity. That combination is particularly attractive for responsible global businesses to model their regulatory compliance strategies for privacy, cybersecurity and AI. This is a crucial issue for the UK Government to get right and support its primary goal of growing the economy.”

Charles Ping, Managing Director, Europe, Winterberry Group

“Labour has a big task ahead, and by its own admission, limited resources. So using the eco-friendly mantra of reduce, reuse and recycle they should take all three aspects into evolving our data protection legislation. Reduce the wasted time on devising new policy objectives in this area when there was cross party consensus on the currently lifeless Data Protection of Digital Information Bill. Reuse, because the bill is pretty much “oven ready”, if that phrase hasn’t been rendered entirely valueless by a previous administration.

Recycle the old bill and ensure an expedited path through the corridors and meeting rooms of Westminster. I can’t see a new administration (or country) wanting a traditional summer recess, so this legislation should have time to whistle through and start making a difference.”

Eleonor Duhs, Partner and Head of Data & Privacy, Wells Bates LLP

“I think the new Labour Government, as a priority, should deal with the uncertainty created by the Retained EU Law (Revocation and Reform) Act 2023 (“REULA”) about how to interpret the UK’s data protection frameworks. REULA has turned the statue book on its head, with domestic law (whenever enacted) taking precedence over any law that was previously EU law (including UK GDPR). An example of the unintended consequences of this is in the area of exemptions from data subject rights. The Open Rights case (brought before REULA came into force) required the government to provide EU-standard protections for migrants when exercising data subject rights. But because of the reversal of the relationship between the UK GDPR and the Data Protection Act 2018 every other group in society now has a lower standard of protection for their data subject rights, compared with migrants.

This outcome was clearly not anticipated. In order to ensure data protection standards in the UK remain high the new Labour government should bring forward legislation. It could either use the powers in REULA to reintroduce deleted principles in order to bring clarity and legal certainty. Alternatively, the best course of action may be to enact bring forward primary legislation to ensure that the UK statute book is stabilised. Powers to update our data protection frameworks should also be considered to ensure it continues to be current and tracks accepted EU and international standards. This would support growth and avoid the risk of losing the UK’s data adequacy decision which is due to be reviewed next year.”

You can read more from Eleonor on the REULA here

While I appreciate reforming data protection law may prove not to be a high priority for the new Starmer Government, to offer my tuppence, if Labour does nothing else, I’d urge them to revise PECR. It’s desperately out of date, first introduced over 20 years ago, and then updated back in 2009 with the ‘cookie law’. The world has moved on. There were some proposed changes to PECR under the DPDI Bill which I favoured. In particular, a change allowing not-for-profits to take advantage of the so-called soft opt-in exemption to consent for marketing emails / texts. This is currently only available in a commercial context, which I feel is unfair. As others have mentioned, I’d also like to see a revision of the consent rules for website analytics cookies.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

6 Steps to Manage International Data Transfers from the UK

June 2024

UK data protection law requires us to carefully consider and have specific measures in place to protect personal data and the rights of individuals when it’s transferred overseas.

Other jurisdictions have similar rules. For example, there are restrictions on personal data transfers from the European Union, Brazil, UAE, New Zealand and Singapore, to name a few.

In this article I’m focusing on UK-based organisations who a looking to transfer personal data outside the UK, and the key steps to take.

BALANCING THE RISKS

Tackling international data transfer can feel complex and overwhelming, but it really pays to make sure relevant stakeholders in your business are familiar with the requirements and understand the potential risks. Sometimes you may have limited control over the terms under which you do business with others. There will be times where there’s no room for negotiation on the terms. Where this is the case, a balance will need to be struck on the business necessity of entering the contract and the potential risks should restricted transfers not be adequately covered. Do you walk away and find a different solution, or accept the risk?

STEP 1: IDENTIFY PERSONAL DATA TRANSFERS

First you need to check if what you’re planning to do constitutes a restricted international data transfer.

🚩 Are you transferring or sharing personal data with an organisation located outside the UK? This could be a new supplier/service provider or another organisation you need to share data with.

🚩 Are you making personal data available to another entity located outside the UK? Can the data be accessed by another entity’s employees?

The receiver of the personal data could be a separate company, a public body, a sole trader or another legal entity within a group of companies. Here are some examples:

Suppliers based outside the UK

Transferring or permitted access to your personal data, when using a supplier/service provider based in US, India, France, Australia or anywhere else in the world.

Partner organisations based outside the UK

Sharing personal data with any organisation based overseas, who may be using the personal data for their own purposes. This includes sending paper or electronic documents, by email or post, or permitting another organisation to access to your systems.

Group entities based outside the UK

Sharing employee, customers or any other personal data with a separate legal entity within your corporate group which is located outside the UK. This includes employees working for an overseas entity having access to personal data on the UK organisation’s systems.

Important note: It would not constitute a restricted transfer if someone employed by a UK-based company accesses personal data from overseas. For example a colleague on a business trip can access UK systems from anywhere in the World.

STEP 2: CHECK IF AN EXCEPTION APPLIES

There are some limited exceptions, where you don’t need an adequacy decision or other safeguard mechanism. The ICO makes it clear most exceptions include the word ‘necessary’ and while this doesn’t mean the transfer has to be absolute essential, it ‘must be more than just useful and standard practice’.

To rely on an exception you need to assess whether the transfer is objectively necessary and proportionate, and can’t reasonably be achieved in another way. Exceptions are most likely to be appropriate for occasional transfers, a low volume of data and where there is a low risk of harm when personal data is transferred. Here are some of the most popular exemptions, and a full list can be found here.

📌 Explicit Consent – the transfer is done with the explicit consent of the individual whose data is being transferred, and where they are informed of possible risks.

📌 Contract – where the transfer is necessary for the performance of a contract between the individual and the organisation or for necessary pre-contractual steps.

📌 Public Interests – the transfer is necessary for important reasons of public interest.

📌 Legal Necessity – the transfer is necessary for the establishment exercise or defence of legal claims.

📌 Vital Interests – the transfer is necessary to protect people’s vital interests (i.e. in a critical life or death situation) where the individual cannot legally or physically give

STEP 3: CHECK IF DESTINATION COUNTRY HAS AN ADEQUACY DECISION

If a country has been awarded ‘adequacy’ there is no legal requirement for any further additional safeguards. Adequacy status is awarded to certain countries who have been judged to have a similar level of data protection standards within the UK. An adequacy decision essentially allows for the free flow of personal data between the UK and another country.

Adequacy decisions are kept under regular review, and can be overturned, so some organisations take a belt and braces approach and adopt additional safeguards.

European Economic Area / UK 

The European Commission has granted the UK with ‘adequacy’ for the time being, and this is reciprocated by the UK. Therefore, personal data can flow freely between the UK and countries in the EEA. This includes the EU member states and the EFTA states.
Other adequate countries. The UK adopted all EU adequacy decisions as of January 2021. Therefore personal data can flow freely between the UK and countries such as Switzerland, New Zealand, Uruguay, Israel and Japan.

See a full list of European Commission Adequacy Decisions. The UK Government has the power to make its own ‘adequacy decisions’ on countries it deems acceptable for transfers from the UK.

United States

The ‘UK-US Data Bridge’ came into play in the Autumn of 2023. This extension to the EU-US Data Privacy Framework (DPF) permits the free flow of personal data between the UK and US, but only if the US company has:

    • self-certified and meets the principles of the DPF, and
    • signed up to the UK ‘data bridge’ extension.

For a list of self-certified organisations see US Department of Commerce DPF

STEP 4: SELECT A SAFEGUARD MECHANISM (IF NECESSARY)

If there is not an adequacy decision for the destination country and you aren’t able to rely on a limited exception, there’s a requirement to make sure specific provisions are in place. Organisations have the following options in order to comply with UK GDPR.

📌 UK International Data Transfer Agreement (IDTA)

This is a standalone legal contract which has been published by the UK ICO. Its purpose is to safeguard personal data which is sent outside of the UK.

📌 EU Standard Contractual Clauses (SCCs) with UK Addendum

The EU SCCs are contracts which have been produced by the European Commission for the purpose of safeguarding personal data sent outside the EU. The ICO stresses EU SCCs are not valid for restricted transfers under UK GDPR on their own; it’s necessary to use the UK Addendum as well. It’s also worth noting new EU SCCs were published in 2021 and the old versions are no longer valid for UK organisations to use, so make sure you haven’t got any outdated SCCs lurking in existing contracts.

📌 Binding Corporate Rules (BCRs)

BCRs can be used as a safeguard for intra-group transfers. Some global organisations have gone down this route, but is onerous and takes a considerable amount of time as BCRs must be approved by a relevant data protection authority (such as the ICO). Therefore many organisations opt for EU SCCs with UK Addendum, or the IDTA.

📌 Other safeguards

Other safeguards measures include approved codes of conduct, approved certification mechanisms, or legally binding and enforcement instruments between public authorities or bodies.

STEP 5: CONDUCT TRANSFER RISK ASSESSMENT (IF NECESSARY)

If you are looking to rely on the IDTA, or EU SCCs with the UK Addendum, there’s a requirement to conduct a Transfer Risk Assessment (TRA). This is a written assessment to determine whether personal data will be adequately protected and to assess the likelihood and severity of risks to people’s fundamental rights and freedoms. A key aspect of this is assessing whether foreign Governments or public bodies could override the safeguard measures you have in place

The ICO has published TRA Guidance, which includes a TRA tool; a template document of questions and guidance to help businesses carry out a TRA. You can also use the EU alternative Transfer Impact Assessment (TIA).

STEP 6: KEEP UNDER REVIEW

The rules relating to international data transfers have been subject to a number of significant legal rulings and changes over the past decade, and it’s therefore important to keep abreast of developments; new adequacy decisions may be issued, and existing decisions could be overturned.

An area to definitely keep an eye on is the EU’s adequacy decision for the UK.  This is expected to last until June 2025, but is up for review. It could be extended, but if it isn’t it will expire on 27 June 2025.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

UK Data Protection and Digital Information Bill Summary

May 2024

Could the DPDI Bill pass into law before a general election?

It’s been confirmed the Data Protection and Digital Information Bill (DPDI) will not be passed before the UK General Election on 4th July. The Bill could potentially be resurrected under a new Government, or it may be completely dead.

The Conservative Government’s stated aim in reforming UK data laws was to ease the burden on businesses, particularly smaller ones. GDPR is perceived by some to be overly burdensome, onerous, and at times a ‘box-ticking’ exercise. While the DPDI Bill has been welcome in some quarters, it faces fierce criticism in others.

The Bill sets out amendments to UK GDPR, the Data Protection Act (DPA 2018) and the Privacy and Electronic Communications Regulations (PECR).

Here’s a reminder of the changes and what they’d mean in practice.

In our opinion here at the DPN there’s nothing massively radical about the DPDI Bill. The core data protection principles, individual privacy rights and controller/processor obligations will remain the same. Yes, there’ll still be a need for detailed contracts between clients and their suppliers. How to manage suppliers and service providers

For many larger organisations which operate across EU / global markets, as well as the UK, it could be mostly business as usual with GDPR remaining the benchmark.

There’s unlikely to be a huge impact on most small to medium sized businesses whose processing is not particularly large scale or sensitive. Existing law already provided extra flexibility for these SMEs, for example they may not need to appoint a Data Protection Officer, or to create and maintain a Record of Processing Activities.

For others depending on their size, nature of their business and operational structural, it may necessitate changes and potential efficiencies. Remember, nothing is set in stone yet!

8 key areas of data reform

The Bill is over 200 pages long, so we’ve selected some broad top-level points, summarising what’s proposed and our take on these potential changes.

1. Records of Processing Activities (RoPA)

Currently organisations (both controllers and processors) are required to keep a RoPA, and GDPR sets out the requirements for what information must be included in your RoPA. There’s a limited exemption for organisations with less than 250 employees where the processing is not high risk and does not involve special category or criminal convictions data.

What’s proposed?

The requirement to have a RoPA as stipulated under GDPR will be removed. Organisations which carry out ‘high risk’ processing would be required to keep ‘appropriate records’. Other organisations would still be under an accountability obligation to make sure appropriate measures are in place to comply with data protection law and protect personal data.

Our take on scrapping the RoPA requirement

A RoPA is a valuable business asset, to identify and keep track of what data you have and where, what it’s used for, your lawful basis, any international data transfers and so on. It’s fundamental to many other data protection processes. It can prove invaluable in getting to grips with the full scope of your processing, identifying data risks, assisting with transparency requirements (e.g. privacy notices), fulfilling individual privacy rights requests and handling data breaches.

However, we know from DPN audience surveys creating and maintaining a RoPA can be a real headache for organisations. Many say their current records don’t fully meet GDPR requirements or ICO expectations. For some businesses, creating the RoPA can lead to duplication of effort and many businesses have taken a risk-based approach, focusing on their main risk areas.

We wouldn’t recommend ditching any hard work you may have already done, because you can still gain benefit from it. If your RoPA isn’t complete, these proposed changes could take the pressure off somewhat.

For smaller businesses (below the current RoPA threshold) we would always recommend keeping some form of record of your activities, and our advice wouldn’t change. Listen back to our webinar on data discovery and record keeping.

2. Data Protection Risk Assessments

Currently organisations are required to conduct a Data Protection Impact Assessment (DPIA) for ‘high-risk’ processing activities. The ICO and EU regulators provide a list of examples of when a DPIA must be conducted (and when it might be a good idea). EU/UK GDPR sets out what criteria should be included in these assessments.

What’s proposed?

The specific requirements relating to a DPIA will be removed. Organisations will need to conduct risk assessments for ‘high risk’ processing, but will have more flexibility and won’t be tied to specific DPIA requirements or templates.

Our take on scrapping DPIAs

Increased flexibility for organisations regarding when and how they conduct risk assessments should be welcomed. However, if you currently have an effective risk screening process and DPIA template which works for your organisation, and many do, you may decide there’s no reason to ‘fix something that’s not broken’. Also, don’t forget you may still be under an obligation to conduct DPIAs if subject to EU GDPR.

DPIAs are a well-established method to identify and mitigate privacy risks prior to the launch of any project involving personal data. We recognise some organisations may choose to benefit from this new flexibility and look for efficiencies by adopting a streamlined and perhaps bespoke process for risk assessments. Quick guide to DPIAs

3. Senior Responsible Individual for data protection

Currently some (but certainly not all) organisations fall within the mandatory requirement to appoint a Data Protection Officer. Others have voluntarily chosen to appoint one. It’s worth noting a DPO’s position within the business, responsibilities and tasks are mandated under EU/UK GDPR. See SRI vs DPO

What’s proposed?

The requirement to appoint a DPO will be scrapped. Public authorities and other organisations carrying out ‘high risk’ processing will be required to appoint a Senior Responsible Individual (SRI) – someone accountable in the business for data protection compliance. This individual must be a member of senior management.

The proposed changes are also likely to impact on what ‘accountability’ looks like, and what businesses would be expected to have in place to demonstrate their compliance with data protection law. Currently the ICO has a detailed accountability framework. We understand a new ‘risked-based accountability framework’ will be introduced, requiring organisations to have in place a Privacy Management Programme, with flexibility to tailor this to suit the scale and nature of the organisation’s specific processing activities. It’s thought likely any existing accountability measures in place to comply with GDPR would not have to be changed.

Our take DPO changes

There’s been plenty of confusion since GDPR came into force in 2018 about which organisations are required to appoint a DPO. Some businesses have felt they needed to appoint one when in fact they didn’t need to. Others have appointed DPOs virtually in name only, without fully appreciating the legal obligations relating to the role. DPO myth buster

This change could give organisations more flexibility, but equally it could muddy the waters and potentially lead to conflicts of interest. The independent advice a DPO should give may be lost.

4. Vexatious Data Subject Access Requests

Currently requests under the Right of Access (aka DSARs/SARs) can be refused, in part or in full, if there are judged to be ‘manifestly unfounded’ or ‘manifestly excessive’.

What’s proposed?

A concept of ‘vexatious or excessive’ will replace ‘manifestly unfounded or excessive’. Controllers will be permitted to take into account whether a request is intended to cause distress, is made in bad faith or is an abuse of power.

Our take on vexatious DSARs

Anecdotally we know of many cases where DSARs are being seen to be ‘weaponised’; not submitted to benefit the individual, but used primarily as a means to cause problems for an organisation. We welcome changes giving businesses increased grounds to decline inappropriate requests, where it’s clear the individual is not genuinely making the request because they want copy of their personal data. DPN DSAR Guide

5. Recognised Legitimate Interests

Currently organisations can rely on the lawful basis of legitimate interests when the processing is considered to be necessary and balanced against the interests, rights and freedoms of individuals. There’s a requirement to conduct a balancing test; a Legitimate Interests Assessment (LIA).

What’s proposed?

The concept of ‘recognised’ legitimate interests is planned, where there will be an exemption from the requirement to conduct a balancing test (LIA) in certain situations. These ‘recognised’ legitimate interests cover purposes such as national security, public security, defence, emergencies, preventing crime, safeguarding and democratic engagement.

The Bill also includes other examples where legitimate interests could be appropriate, but would require a balancing test. Examples include; direct marketing, intra-group transmission for admin purposes and security of network and information systems (although we are a little surprised the latter didn’t make it onto the list of recognised legitimate interests).

Our take on ‘recognised’ legitimate interests

We welcome this change, as it makes sense to reduce the paperwork required for activities which are straight-forward or very clearly in the interests of both the organisation and individuals.

The fact direct marketing may be carried out as a legitimate interest is not new. This is already in GDPR Recital 47; but this is reinforced by its presence in the Bill. This is a welcome clarification, but we would caution under the UK’s Privacy and Electronic Communications Regulations (PECR) there will still be certain circumstances where consent is required. Quick Guide to GDPR and PECR

6. Extension of the ‘soft-opt-in’ exemption under PECR for charities & other not-for-profits

Currently under PECR it’s a requirement to have consent to send electronic marketing, for example email or text marketing messages, unless you can rely on and meet the requirements of the so-called ‘soft opt-in’ exemption. This exemption is only available where the data is used for commercial purposes. It’s use by charities is very limited to the context of a sale, for example selling goods in a charity shop, and can’t, for example, be used in the context of donations.

What’s proposed?

The soft opt-in exemption will be extended to non-commercial organisations, covering where the direct marketing is:

  • solely for the purpose of furthering charitable, political or other non-commercial objectives (i.e. including donations!)
  • where the contact details have been obtained during the course of a recipient expressing an interest or providing support, and
  • where the recipient is given a clear and simple means of objecting to direct marketing at the point their details were collected, and in every subsequent communication.

Our take on extending use of soft opt-in

We welcome the move to allow charities to take advantage of an exemption which has been available for commercial purposes for years. Clearly, it will be for each charity to decide whether they stick with consent or change to soft opt-in. It can only be used going forward – it’s not an opportunity to re-contact those who didn’t give consent or opted-out in the past!

Charities will have to carefully think through the pros and cons of moving to soft opt-in and would be wise to check if their CRM systems could store multiple permission statuses for legacy data alongside new data gathered under soft opt-in. What could the marketing soft opt-in mean for charities?

7. Cookies and similar technologies

Currently informed consent is required under PECR for all cookies and similar technologies deployed onto a user’s device. There is a limited exemption for ‘strictly necessary’ cookies.

What’s proposed?

There are provisions to expand the categories of cookies which don’t require consent, for example website analytics. There’s also a desire to reduce or eliminant the need for cookie pop-ups but it’s not yet clear how exactly this will be achieved.

Our take on cookies

Many businesses would welcome easing the existing requirements, although we anticipate few websites will, in reality, be able to compliantly get rid of cookie banners, unless radical changes are made! We look forward to clarification on exactly how the proposed changes might work in practice to benefit businesses and the public.

8. Increased fines under PECR

Currently, fines for violations under UK PECR are capped at £500,000.

What’s proposed?

Bringing the level of maximum fines in line with UK GDPR, meaning the ICO could issue fines of up to circa £17 million, or 4% of a business’s global turnover.

Our take on increased PECR fines

The ICO tends to take a proportionate approach to enforcement, and we envisage substantial fines would be reserved for spammers and rogue telemarketing businesses who flagrantly disregard the rules. If this goes some way to deterring bad operators and protecting the public, this could be a good thing.

Other DPDI Bill points worth noting

Scientific research

The Bill includes specific changes in relation to using personal data for scientific research, and what qualifies as scientific research. (This area could be an article in itself!)

International data transfers

The Bill doesn’t propose any significant changes to the international data transfer regime. It makes it clear mechanisms entered into before the Bill takes effect will continue to be valid. At last, some welcome news for all those grappling with the UK ITDA or the EU’s SCC with UK addendum! International Data Transfers Guide

 

The above just touches on key proposals, as said, it’s a very lengthy document! In our view the UK’s Data Protection and Digital Information Bill marks a significant but not giant step away from GDPR. There are good reasons why the Government is keen not to diverge too far. It does not want to risk the current European Commission ‘adequacy decision’ for the UK being overturned. This adequacy decision allows for the free flow of personal data between the EU and UK, and there could be a significant negative impact for many businesses if UK adequacy is revoked. We don’t know yet if the European Commission will view the Bill as a step too far.

What next?

The DPDI’s third reading is set for mid June, and there’s a possibility it will gain Royal Assent – i.e. be enacted into law before Parliament’s Summer Recess (which starts on 24 July).

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

DPDI Bill: DPO vs Senior Responsible Individual

May 2024

What could the UK DPDI Bill mean for data protection roles in your organisation

It’s been confirmed the Data Protection and Digital Information Bill will not be enacted before the UK General Election on 4th July.  It remains to be seen if this is resurrected under a new Government, in a similar or amended form, or is completely dead.

One of the key proposed changes was to amend UK GDPR to remove the requirement for the role of the Data Protection Officer. Instead, where public bodies and commercial businesses meet certain criteria, they would be required to appoint a Senior Responsible Individual (SRI).

I’ve taken a close look at the proposed SRI requirements, compared these with the current DPO role and assessed the options for how this change might play out in practice.

My observations are based on what we know to date, so these findings have the potential to change before agreement on a final text.

Just because DPDI as planned does not include a requirement to appoint a DPO, it’s worth stressing, this doesn’t mean an organisation can’t have one. In fact, for many UK-based organisations operating in the EU, who’ve already appointed a DPO, they may need to retain this position to comply with EU GDPR.

When to appoint an SRI

Currently a DPO must be appointed by public bodies and other organisations (both controllers and processors) if core activities involve the large-scale and systematic monitoring of individuals or core activities involve large-scale processing of special category data or data relating to criminal convictions and offences. The DPO must report to the highest level of management. 

(There is a distinction under existing legislation for courts acting in their judicial capacity. This is also covered in the DPDI Bill, but not a focus in this article.)

The proposed change is a requirement to designate an SRI, where the organisation (either controller or processor);

  • is a public body, or
  • carries out processing of personal data likely to result in a high risk to the rights and freedoms of individuals.

The SRI would need to part of the organisation’s senior management. If two or more individuals are employed part-time and share a single role within the organisation’s senior management, they would be able to act jointly as the SRI.

Also, in a similar way to current the DPO obligations, the controller or processor would have to make sure contact details for the SRI are publicly available and provide these details to the Information Commissioner’s Office (ICO).

What constitutes ‘high risk’?

Organisations would need to take account of the ‘nature, scope, context and purposes of the processing of personal data’ in assessing whether their activities are ‘high risk’ and they therefore fall under the SRI requirement. So, rather than the current focus on whether the processing of personal data is ‘large-scale’ the focus would shift to whether that processing is ‘high risk’ to the rights and freedoms of individuals.

The ICO will be under an obligation to produce and publish a document containing examples of the types of processing which would be considered likely to result in a ‘high risk’ to the rights and freedoms of individuals.

What constitutes ‘senior management’? 

It’s stated the term ‘senior management’ means individuals with ‘significant roles in making decisions about how the whole, or a substantial part of the organisation’s activities are managed or organised.’

Currently there is a requirement for DPOs to be ‘designated based on professional qualities and in particular, expert knowledge of data protection law and practices’. 

It is not specifically mentioned in the Bill that the SRI needs specialist knowledge.

SRI tasks

The Bill splits this the tasks of the SRI between a controller and a processor. In our experience many organisations which act primarily as processors will also be controllers, even if solely for their employee data, so will need to consider all SRI tasks. It’s clear the SRI can make sure these tasks are carried out by another person i.e. they can delegate their responsibilities in part or in full.

The table below sets out the tasks of the SRI for a controller, and how these compare with the current tasks of a DPO. This is based on DPDI Bill as amended by the House of Lords’ Grand Committee and the text of Article 39, UK GDPR.

SRI tasks for a controller

The difference between a DPO - Data Protection Officer and a SRI - a Senior Responsible Individual. How the DPDI could change data protection roles from the data protection consultancy DPN

 

SRI tasks for a processor

The SRI appointed by a processor would be expected to fulfil at least the following tasks (again, these tasks could be delegated):

(a) Monitoring compliance with a processor’s obligations to;
– Make sure contractual terms are in place with Controllers meeting required standards (e.g. Article 28)
– Maintain ‘records of high-risk processing of personal data’, where relevant. Note the existing requirements relating to Records of Processing Activities would change, which we’ve written about in our DPDI Bill Summary.
– Implement appropriate measures, including technical and organisational measures to protect personal data.

(b) Co-operating with the Commissioner on behalf of the organisation.

(c) Acting as contact point for the Commissioner on issues relating to the processing of personal data.

(The above is not the precise text from the Bill which makes reference to three specific articles (28, 30A and 32), which we’ve explained in more detail.)

Can data protection services still be outsourced?

Currently a DPO ‘may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract’. This means organisations can utilise outsourced DPO services.

It isn’t specifically stated in the Bill that outsourcing of data protection tasks or services is not permitted, so we would anticipate this approach should be acceptable.

SRI and conflict of interests

Currently DPOs ‘should be in a position to perform their duties and tasks in an independent manner.’

As the SRI will be a member of the senior management team, this raises the risk of conflicts of interests. The Bill says where the performance of one or more SRI tasks would result in a conflict of interests, the SRI must make sure the task is carried out by another person. This can be alone or jointly with others. In assigning tasks to others, it will be necessary to take into consideration:

  • the other person’s professional qualifications and knowledge of the data protection legislation;
  • the resources available to the other person to carry out the task; and
  • whether the person is involved in the day-to-day processing of personal data for the controller or processor – and if so whether this affects the person’s ability to perform the task.

Position of the SRI

Currently there’s a requirement to make sure;

  • the DPO is involved, properly and in timely manner, in all issues relating to the protection of personal data;
  • the DPO is supported in performing their tasks, by being provided with the resources necessary and the ability to maintain expert knowledge;
  • a DPO is not to be dismissed or penalised for performing their tasks;
  • Data subjects can contact the DPO with regards to all issues relating to the processing of personal data and to exercise their rights;
  • the DPO is bound by secrecy or confidentiality concerning the performance of their tasks;
  • Where the DPO fulfils other tasks or duties, the organisation make sure these do not result in a conflict of interests.

Under proposed changes, organisations will have an obligation to:

1) support the SRI in the performance of their tasks, including providing the individual with appropriate resources; and
2) not dismiss or penalise its SRI for performing their SRI tasks.

Where the SRI decides one or more of their tasks should be performed by another person, the organisation must make sure that individual has appropriate resources, is not dismissed or penalised for performing the task and does not receive instructions about the performance of the task. This doesn’t stop the SRI giving instructions, unless this would involve a conflict of interests.

How to apply changes in practice

Here are some potential options depending on what roles you have in place now, but not an exhaustive list.

Currently have in-house DPO

If you currently have a nominated DPO and you assess your processing activities to be ‘high risk’, thereby falling within scope to assign a SRI, here are some potential options:

a) Make your DPO a member of senior management and assign them as your SRI.

b) Assign the individual your DPO currently reports into as your SRI. The SRI could then delegate some or all of their tasks to your DPO. You could keep the title DPO or change it something else.

c) Assign another individual from your senior management team to be the SRI, who could delegate all or some of their responsibilities to the current DPO.

d) Remove the DPO position and assign an SRI. The SRI could fulfil all tasks, delegate some or all tasks, and would have to delegate a task / tasks where there was assessed to be a conflict of interests.

Clearly d) wouldn’t be an option if you need to retain the role of a DPO to meet EU GDPR requirements.

Currently have external ‘outsourced’ DPO

It looks like you’ll be able to assign an SRI internally, who could outsource their tasks to your current external DPO.
Remember the SRI’s details would need to be publicly available and provided to the ICO.

Currently don’t have DPO

You’ll need to assess whether your processing activities constitute ‘high risk’ and if so assign an SRI.

What next?

The DPDI Bill finished the House of Lords’ Grand Committee Stage at the beginning of May and the Report stage is set for mid-June. Then there will be a Third Reading, after which it could gain Royal Assent before the Parliamentary Summer Recess in July. This would be where the King formally agrees to make the Bill an Act of Parliament i.e. the law.

If this happens, it’s likely some changes may take immediate effect, while there will be a transition period for others. Check out other key proposed changes in our DPDI Bill Summary.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

What does the IKEA CCTV story tell us?

April 2022

Only set up video surveillance if underpinned by data protection by design and default

What happened?

Following an internal investigation, IKEA was forced to apologise for placing CCTV cameras in the ceiling voids above the staff bathroom facilities in their Peterborough depot. The cameras were discovered and removed in September 2021, but the investigation has only just concluded in late March 2022.

An IKEA spokesman said:

 “Whilst the intention at the time was to ensure the health and safety of co-workers, we understand the fact that colleagues were filmed unknowingly in these circumstances will have caused real concern, and for this we are sincerely sorry.”

The cameras were installed following “serious concerns about the use of drugs onsite, which, owing to the nature of work carried out at the site, could have very serious consequences for the safety of our co-workers”.

They had been sanctioned following “multiple attempts to address serious concerns about drug use, and the use of false urine samples as a way of disguising it”.

“The cameras placed within the voids were positioned only to record irregular activity in the ceiling voids,” he said.

“They were not intended to, and did not, record footage in the toilet cubicles themselves. However, as aresult of ceiling tiles becoming dislodged, two cameras inadvertently recorded footage of the communal areas of two bathrooms for a period of time in 2017. The footage was not viewed at the time and was only recovered as part of these investigations.”

Apology and new ICO guidance

The key question raised by this incident is where to draw the line. When is it inappropriate to set up CCTV? In this instance, the company had concerns about drug misuse – but was that a good enough reason? I think a lot of us intuitively felt the answer was no. 

This apology conveniently coincides with the recent publication of some new guidance on video surveillance from ICO regarding UK GDPR and Data Protection Act 2018.

This guidance is not based on any changes in the legislation – more an update to provide greater clarity about what you should be considering.

Video surveillance definition

The ICO guidance includes all the following in a commercial setting:

  • Traditional CCTV
  • ANPR (automatic number plate recognition)
  • Body Worn Video (BWV)
  • Facial Recognition Technology (FRT)
  • Drones
  • Commercially available technologies such as smart doorbells and dashcams (not domestic settings)

Guidance for domestic use is slightly different.

Before setting up your video surveillance activity 

As part of the system setup, it’s important to create a record of the activities taking place. This should be included in the company RoPA (Record of Processing Activities).

As part of this exercise, one needs to identify:

  • the purpose of the lawful use of surveillance
  • the appropriate lawful basis for processing
  • the necessary and proportionate justification for any processing
  • identification of any data-sharing agreements
  • the retention periods for any personal data

 As with any activity relating to the processing of personal data, the organisation should take a data protection by design and default approach when setting up the surveillance system.

Before installing anything, you should also carry out a DPIA (Data Protection Impact Assessment) for any processing that’s likely to result in a high risk for individuals. This includes:

  • Processing special category data
  • Monitoring publicly accessible places on a large scale
  • Monitoring individuals at a workplace

A DPIA means you can identify any key risks as well as potential mitigation for managing these. You should assess whether the surveillance is appropriate in the circumstances.

In an employee context it’s important to consult with the workforce, consider their reasonable expectations and the potential impact on their rights and freedoms. One could speculate that IKEA may not have gone through that exercise.

Introducing video surveillance

Once the risk assessment and RoPA are completed, other areas of consideration include:

  • Surveillance material should be securely stored – need to prevent unauthorised access
  • Any data which can be transmitted wirelessly or over the internet requires encryption to prevent interceptions
  • How easily data can be exported to fulfil DSARs
  • Ensuring adequate signage is in place to define the scope of what’s captured and used.

Additional considerations for Body Worn Video  

  • It’s more intrusive than CCTV so the privacy concerns are greater
  • Whether the data is stored centrally or on individual devices
  • What user access controls are required
  • Establishing device usage logs
  • Whether you want to have the continuous or intermittent recording
  • Whether audio and video should be treated as two separate feeds

In any instance where video surveillance is in use, it’s paramount individuals are aware of the activity and understand how that data is being used.

Julia is an experienced data protection consultant and has been advising businesses since 2016. She regularly delivers GDPR training as well as developing bespoke GDPR guidance for our clients.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Managing data transfers from the UK

February 2022

The new International Data Transfer Agreement (IDTA) and Addendum is a sensible evolution of the old SCCs

International Data Transfers – to recap

Whenever UK-based organisations arrange the transfer of personal data to a third country outside the UK, they need to make sure the transfers are lawful, by confirming the data security and rights of individuals remain protected when data leaves the country.

Since the famous “Schrems II” ruling by the European Court of Justice in 2020, this activity has been thrown into disarray. To remind you, this is the ruling which invalidated the EU-US Privacy Shield and raised concerns about the use of EU Standard Contractual Clauses (SCCs) to protect the data. 

Soon after, the European Commission set to work to update the EU SCCs. These were drafted and enacted fairly swiftly taking effect on 27th June 2021. 

What are the new EU SCCs?

The new EU SCCs were expanded to introduce more flexible scenarios: 

  • SCCs are now modular meaning that they can accommodate different scenarios, where you can pick the parts which relate to your particular situation.
  • The SCCs cover four different transfer scenarios, including processors:
    • Controller to controller
    • Controller to processor
    • Processor to controller
    • Processor to processor
  • More than two parties can accede to the SCCs, meaning additional controllers and processors can be added through the lifetime of the contract. This potentially reduces the administrative burden.

How did this affect the UK? 

On 28th June the UK’s adequacy decision was adopted.  On September 27th 2021, the prior version of the SCCs expired. 

In our webinar last year, it was obvious that everyone was confused. The situation caused by the “Schrems” ruling was compounded by the fact that Brexit had been completed. This meant we could no longer apply the SCCs approved in Europe. The UK needed its own SCCs, but they did not exist. 

The ICO consultation

From August to October 2021, the ICO conducted a consultation to understand how a UK version of these rules should be enacted. Since we had been granted an adequacy agreement by the EU, we all hoped it would be possible to mirror the SCCs arrangements in UK law thus re-instating the means by which we can lawfully export data to places such as the US. 

Anecdotally the resounding view was not to mess with the principles enshrined in the EU SCCs as it would simply add complexity to an already complex situation.

The ICO conclusion

In January, the ICO published the International Data Transfer Agreement (IDTA) and the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses. To the layperson, the EU’s standards have been adopted. 

What’s included in the Agreement and Addendum? 

    1. The International Data Transfer Agreement (IDTA) replaces the old EU SCCs which were relied upon to provide the appropriate safeguards required under the UK GDPR for international data transfers from the UK. There are differences to the new EU SCCs – it is a single all-encompassing agreement that incorporates all the scenarios identified in EU SCCs. One can omit sections and there is no requirement for it to be signed. This is most useful for those creating new data transfer agreements.
    2. The UK Addendum is a far simpler document. It is an addendum to the EU SCCs where references to EU laws are replaced by references to UK laws. It allows businesses to use the EU SCCs for international data transfers from the EU but also from the UK. These are useful for those already using the EU SCCs who want a simple addendum to update the legal context. 

When does this come into force?

The IDTA was laid before Parliament on 2nd February 2022. It comes into force on 21st March if there are no objections. To all intents and purposes, it’s in force now. The Information Commissioner Office (ICO) has stated the IDTA and UK Addendum:

“are immediately of use to organisations transferring personal data outside of the UK, subject to the caveat that they come into force on 21 March 2022 and are awaiting Parliamentary approval“.

What does this all mean?

In practice, UK businesses can breathe a sigh of relief and get on with their lives. There is clarity at last. Existing agreements need to be updated with the UK Addendum and new ones can be put in place with the International Data Transfer Agreement. There will be an administrative burden, but businesses now know what they need to do.  Good sense has prevailed. 

 

Julia is an experienced data protection consultant and has been advising businesses since 2016. She regularly delivers GDPR training as well as developing bespoke GDPR guidance for our clients.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

SIGN UP FOR OUR NEWSLETTER

Get DPN updates direct to your inbox. Insight, free resources, guides, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement.

SHARE YOUR VIEWS ON AI

Please take a moment to complete our short survey on the use of AI tools in the workplace

 

GO TO SURVEY