The Government’s consultation on UK data protection reform contains a number of sensible proposals to ease the burden on business. There are also a few surprises likely to raise eyebrows in Brussels. The headlines are:
- The UK is not about to become the ‘Wild West’ for data, as some may have feared
- Changes to both UK GDPR and the UK’s Privacy and Electronic Communications Regulations (PECR) look likely
- A probable relaxation of several areas of UK GDPR, with a focus on outcomes rather than prescribed processes
- Plans to increase fines under PECR to match those under GDPR, a clear warning to those flagrantly disregarding marketing rules
- The consultation is a ‘direction of travel’ – nothing’s carved in stone. It’s business as usual for now
The Government’s overall aim is to drive economic growth and innovation and strengthen public trust in use of data.
The way they want to achieve this is to alleviate some of the more prescriptive GDPR obligations on business, whilst retaining a robust data protection regime built largely on existing laws.
This approach is in keeping with the UK’s common law tradition, also used in Australia, New Zealand, Jamaica, Pakistan and Singapore (to name a few), as opposed to the statute law system used across Europe. Common law is viewed by its proponents as more flexible. It’s also why legal proceedings tend to move more quickly in UK courts than those in the EU.
It’s clear the UK Government hopes any changes will be compatible with EU equivalency, enabling the UK to retain adequacy.
Data regime proposals 12 highlights
1. Accountability & Privacy Management Programmes (PMPs)
Changes to the accountability framework are proposed, with businesses expected to have a Privacy Management Programme in place. This approach to accountability is long-established in countries such as Australia, Canada and Singapore.
It’s argued this would allow organisations to implement a risk-based privacy programme based on the volume and sensitivity of personal data they handle, and the types of activities they’re involved in.
By doing this, the proposal seeks to do away with some of the accountability obligations under the current UK GDPR, which may be considered to be more burdensome.
Organisations will still need to know where their data is, what its used for, apply lawful bases, implement robust security measures, manage suppliers, assess privacy risks and fulfil privacy rights. But there could be more flexibility and control over how you achieve this.
This doesn’t mean ripping up all the hard work you’ve done to comply with GDPR.
When the dust has settled, many organisations may choose to stick with the tried and tested framework they’ve already established. Others may jump on the opportunity to adapt their approach.
And let’s not forget, UK businesses operating in Europe will still be governed by EU GDPR.
2. No mandatory Data Protection Officers
The consultation proposes removing the mandatory requirement to appoint a DPO.
Under GDPR, a DPO must be appointed by public authorities – and in the commercial sector – if organisations meet specific criteria. It also sets out requirements and responsibilities for the role.
It’s proposed the requirement for a DPO is replaced with a requirement to designate a suitable individual (or individuals) responsible for overseeing compliance. However, the new law wouldn’t lay down specific requirements & obligations for this role.
3. No mandatory requirement for Data Protection Impact Assessments
Currently, GDPR makes a DPIA mandatory for high-risk activities. It also sets out core elements such an assessment must include.
Furthermore, it requires supervisory authorities to establish a list of processing operations which definitely require a DPIA. This led authorities, including the UK’s ICO, to dutifully publish lists of where DPIAs would be considered mandatory, as well as best practice.
The Government is proposing removing this mandatory requirement, although this won’t mean throwing out screening questionnaires and DPIA templates, which are often very useful.
The onus would be on organisations to take a proportionate and risk-based decision on when they consider it appropriate to carry out impact assessments and how they go about this.
4. More flexible record keeping
Completing and maintaining up-to-date records, known as Records of Processing Activities (RoPA) has been one of the more onerous aspects of GDPR.
Again, current law and guidance is prescriptive about records keeping requirements – although small and medium sized organisations (with less than 250 employees) are exempt from this.
It’s proposed a more flexible model for record keeping is introduced.
Maintaining a central record of what personal data you hold, what it’s used for, where it’s stored and who it’s shared with is a sensible and valuable asset for any organisation. Many feel such records are vital to effective data risk management.
So again, you don’t need to rip up your current ROPA, but you may soon be allowed to adapt your record keeping to suit your business and perhaps make your records easier to maintain.
5. Data breach notification threshold changes
It’s clear GDPR has led to data protection authorities being inundated with data breach reports. The ICO, for one, has highlighted a substantial amount of over-reporting.
This isn’t surprising when there’s a legal obligation for organisations to report a personal breach if it is likely to represent a ‘risk’ to individuals.
Its proposed organisations would only need to report a personal data breach where the risk to the individual is ‘material’. The ICO would be encouraged to produce clear guidance and examples of what would be ‘non-material’ risk, and what would or would not be considered a reportable breach.
6. Data Subject Access Requests changes
The stated purpose of a subject access request is to give individuals access to a copy of their personal data so they can ‘be aware and verify the lawfulness of processing’ (although many organisations might question if this is why some submit requests).
The consultation recognises the burden of responding to DSARs has on organisations, especially smaller businesses which often lack the resources to handle them.
The possibility of charging a nominal fee could be reintroduced. It’s also proposed the threshold for judging when a request may be vexatious / manifestly unfounded is amended.
Headlines surrounding UK data reform usually focus on ending the barrage of cookie pop-ups. The consultation proposes two main options:
- Permitting organisations to use analytics cookies and similar technologies without the user’s consent. In other words, treating them in the same way as ‘strictly necessary’ cookies. It’s worth noting that this proposal is included in the most recent EU ePrivacy draft. (It’s accepted further safeguards would be required to ensure this had a negligible impact on user privacy and any risk of harm. It would also not absolve organisations from providing clear and comprehensive information about cookies and similar technologies).
- Permitting organisations to store information on, or collect information from, a user’s device without their consent for other limited purposes. An example given is that this could include processing necessary for the legitimate interests of controllers where the impact on privacy is likely to be minimal.
The Government says it is keen to hear feedback on the most appropriate approach.
8. Legitimate Interests
There’s a proposal to create an exhaustive list of legitimate interests which organisations could rely on without needing to conduct the balancing test, i.e. no Legitimate Interest Assessment (LIA) required.
The following are some of the examples given:
- ensuring bias monitoring, detection and correction in AI systems
- statutory public communications and public health & safety messages by non-public bodies
- network security
- internal research and development projects
Where an activity is not on the list, we’re assuming assessments using the current 3-step test would still be needed.
9. Extended use of the ‘soft opt-in’
PECR currently permits email and SMS marketing messages where consent has been given, or for existing customers only, when the soft opt-in requirements are met.
This exemption to consent for existing customers is only currently available to commercial organisations. It’s proposed this could be extended to other organisations such as political parties and charities.
This could be great news for charities, but could it lead to a deluge of unwanted messages from political parties?
10. Research purposes
The Government wants to simplify the use of personal data for research, with a specific focus on scientific research.
Considerations include establishing new lawful grounds for research (subject to ‘suitable safeguards’) and incorporating a clear definition of ‘scientific research’.
11. Artificial intelligence
It’s proposed certain automated decision-making should be permitted without human oversight.
GDPR prohibits this unless necessary for a contract with an individual, authorised by law or based on explicit consent. The consultation suggests Article 22 is scrapped.
The aim is to ‘deliver more agile, effective and efficient public services and further strengthen the UK’s position as a science and technology superpower’.
It’s hoped this can be achieved by developing a safe regulatory space for responsible AI development, testing and training which allows greater freedom to experiment.
In the consultation press release, an AI partnership between Moorfields Eye Hospital and the University College London Institute of Ophthalmology is highlighted. Researchers have trained machine-learning technology to identify signs of eye disease, which is more successful than using clinicians.
This is cited as a clear example of the type of data use which should be encouraged, not hindered by law.
12. Reform of the ICO
The Government wants to assert greater control over the UK’s data protection regulator, the Information Commissioner’s Office.
They propose to introduce a new, statutory framework to set out the ICO’s strategic objectives and duties and a power for the Secretary of State for DCMS to prepare a statement of strategic priorities to inform how the ICO sets its own regulatory priorities.
This would will bring the ICO into line with other UK regulators such as Ofcom, Ofwat and Ofgem.
The proposals also include introducing a new overarching objective for the ICO, in addition to its other functions, tasks and duties with two key elements:
- Upholding data rights and safeguard personal data from misuse
- Encouraging trustworthy and responsible data use, to uphold the public’s trust and confidence in use of personal data
Yes, a shake-up of UK data laws and enforcement is on the horizon, but the final outcome remains unknown, and a healthy debate will surely follow.
The consultation closes on 19th November 2021, and there will undoubtedly be some time before any changes become law.
For the time being its business as usual, but this document gives us a clear idea of what the future might look like.
Meanwhile, the EU will be keeping a very close eye on developments, and it’s possible the UK could be deemed to be going a step to far – it’s easy to see EC adequacy decisions being held over the UK Government like the Sword of Damocles.
The UK Government’s objective is to give organisations more control and flexibility around data protection management within a less burdensome regime, which supports the data economy and drives innovation.
In some ways, it could even be seen as a move towards giving organisations who don’t take data protection seriously more rope to hang themselves with.
The full consultation document is worth a read and can be found HERE.
Simon Blanchard, Phil Donn & Julia Porter – September 2021