UK data reform plans revealed: a snapshot
DCMS publishes response to data reform consultation
DPOs, Records of Processing Activities and DPIA requirements are all set to go under UK Data Reform plans, as the Government pushes ahead with it’s intention to require organisations to implement a Privacy Management Programme (PMP).
Plans also include changes to PECR (the UK’s Privacy and Electronic Communications Regulations) including permitting charities to use the soft opt-in and allowing analytics cookies without consent.
The Government has set out the detail of how it plans to reform the data protection landscape in its response to the Autumn consultation.
(This article is not intended to cover the wide-ranging detail of the plans. The full consultation response from the Government can be found here).
- The Government plans to proceed with the requirement for organisations to implement Privacy Management Programmes (PMPs).
- Organisations currently compliant with the UK GDPR will not need to significantly change their approach, unless they wish to ‘take advantage of the additional flexibility the new legislation will provide’.
- Organisations will have to implement a PMP based on the ‘level’ of processing activities they’re engaged in and the volume and sensitivity of the personal data they handle.
- The PMP requirement will be subject to the same sanctions as under the current regime.
Data Protection Officers
- The requirement to designate a Data Protection Officer will be removed.
- There will be a new requirement to appoint a senior individual responsible for data protection. It’s envisaged most of the tasks of a DPO will become ‘the ultimate responsibility of a designated senior individual to oversee as part of the privacy management programme.’
Data Protection Impact Assessments
- Under the new PMP requirement, organisations will be required to identify and manage risks, but ‘they will be granted greater flexibility as to how to meet these requirements’.
- There will no longer be a requirement to undertake DPIAs as prescribed by UK GDPR. However, organisations will be required to make sure they have ‘risk assessment tools in place for the identification, assessment and mitigation of data protection risks across the organisation.’
- Organisations will be able, if they wish, to continue to use DPIAs but can tailor them based on the nature of their processing activities.
- Existing DPIAs will remain a valid way of achieving the new requirement.
Record of Processing Activities
- Personal data inventories will be needed as part of organisation’s PMP, covering what and where personal data is held, why it has been collected and how sensitive it is.
- Organisations will not have to stick to the prescribed requirements set out under Article 30, UK GDPR.
Reporting Data Breaches
- No changes will be introduced to alter the threshold for reporting a data breach.
- The Government will work with the ICO to explore the feasibility of clearer guidance for organisations.
Subject Access Requests
- The Government plans to proceed with changing the current threshold for refusing or charging a fee for Subject Access Requests from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’. It is said this will bring it in line with the Freedom of Information regime.
- The Government does not intend to re-introduce a nominal fee for processing access requests.
Alongside changes to the current regime under UK GDPR, the Government plans include amendments to PECR. Key intended changes include:
- In the immediate term, the Government intends to permit cookies (and similar technologies) to be placed on a user’s device without explicit consent, ‘for a small number of other non-intrusive purposes’. It’s anticipated this will include analytics cookies which allow organisations to measure traffic to webpages and improve offerings to users.
- It’s intended these changes will apply to connected technology, including apps on smartphones, tablets, smart TVs or other connected devices, as well as websites.
- In the future, the Government intends to move to an ‘opt-out model of consent for cookies placed by websites’. The Government says its ambition is to improve the user experience and remove the need for ‘unnecessary’ cookie consent banners. It stresses an opt-out model would not apply to websites likely to be accessed by children (we’re assuming this means consent would be required) and its ambitions will be subject to an assessment that effective solutions are widely available for use.
Use of ‘soft opt-in’ extended
- The ‘soft opt-in’ exemption to consent (for email and SMS marketing) is set to be extended to charities and not-for-profits.
PECR fines to be increased
- The Government plans to proceed with proposals to increase fines under PECR. This will allow the ICO to levy fines of up to £17.5m or 4% of a business’s global turnover. This would bring fines in line with current fines under the existing regime. Currently the maximum fine under PECR is capped at £500,000.
- The Government plans to consider further whether political communications should remain within the scope of PECR’s direct marketing rules (or be excluded).
- It also intends to extend the soft opt-in so that ‘political parties and elected representatives can contact individuals who have previously shown an interest in the activities of the party (for example, by attending a conference or making a donation) without their explicit consent, provided they have been given an opportunity to refuse such communications at the point of providing their details’.
Human oversight of automated decision-making and profiling
- The Government notes the vast majority of respondents to the consultation opposed the proposal to remove Article 22. The right to human review of automated decisions is considered a fundamental safeguard. It was confirmed this proposal will not be pursued.
- The Government says it will be considering how to amend Article 22 to clarify the circumstances in which this must apply. It says it wants to align proposals in this area ‘with the broader approach to governing AI-powered automated decision-making’. This will form part of an upcoming white paper on AI governance.
- The Government intends to create a limited list of defined processing activities where there would not be a requirement to conduct a balancing test for legitimate interests. This list will initially be limited to ‘carefully defined processing activities’.
- This is likely to include processing activities to prevent crime, reporting safeguarding concerns or those which are necessary for important public interests reasons.
- The Government proposes a new power to be able to update this list subject to parliamentary scrutiny.
A key concern is will UK data reform risk adequacy. The European Commission has granted the UK adequacy, which allows for the free flow of personal data from the EEA to the UK, without the need for additional safeguards. However, in granting adequacy the EC said it would keep it under review and if any significant changes were made it could revoke the decision.
The Government does not believe its plans risk this decision. The consultation response says; “the UK is firmly committed to maintaining high data protection standards – now and in the future”.
Response from the ICO
UK Commissioner, John Edwards says he shares and supports the ambition of these reforms. In particular he says “I am pleased to see the government has taken our concerns about independence on board”. You can read the ICO’s statement here. The independence of the ICO was cited by Mr Edwards as an area which could jeopardise adequacy (in recent evidence he gave to the Science and Technology Committee).
We now await the detail of the Data Reform Bill, which will be subject to parliamentary scrutiny. So still some way to go before the intended changes come into play.