Data Protection Policies – what do businesses need?

September 2023

Under EU and UK data protection law businesses need to make sure they have ‘appropriate technical and organisational measures’ in place to protect personal data. Organisational measures include making sure staff receive adequate data protection training and guidance about how they should handle personal data.

In my experience, people are keen to ‘do the right thing’ with personal data, but are sometimes unsure how to go about it.

This is where well-crafted policies can really help, sitting alongside and integrated with employee training. Unfortunately people often have a negative view of policies. Long-winded policies, full of impenetrable jargon which regurgitates the law can turn people off.

A vanilla one-size fits all approach has little value… but there’s a much better way. A well-written, easy-to-read, concise policy can communicate ‘what good looks like’ for your business and explain how your people should behave to deliver good practice.

Yes, you absolutely need to take into account what the law says. A policy should identify key risk areas, but crucially it should also tell your people how they should act to meet your company standards – which include legal compliance.

Don’t shy away from stressing the benefits for your business of acting responsibly. Focus on the needs of your business sector and the unique nature of your businesses processing.

Make policies relevant to your workforce and how your business operates. Even better if you can, tie-in the launch of improved data policies with data protection training, which shares the main themes from the policies, this can really bring them to life , improve awareness and reinforce positive behaviours.

What data protection related policies are needed?

First decide which policies you actually need and how they should fit together. My favoured approach is to have just two ‘parent’ data policies, a Data Protection Policy and an Information Security Policy, then link out to ‘child’ policies or procedures which sit below them.

You might consider a third parent policy, such as Acceptable Use, but personally I prefer information about acceptable use to be included within the Data Protection and Information Security policies, so people don’t have to search around.

Here’s a typical Policy Framework, showing the two ‘parent’ policies and examples of possible ‘child’ policies or procedures below.

The range of policies you’ll need will vary from business to business. A small company, with a handful of employees, processing relatively less sensitive data won’t need a raft of policies.

Many micro or small businesses may just focus on having a Data Protection Policy (which covers the data lifecycle from creation through to retention) and an Information Security Policy. Alongside these you’ll definitely need a clear procedure for handling data breaches and individual privacy rights.

How to write helpful, practical data protection policies

As said, too often policy documents are littered with legalise and jargon. Sometimes it feels like a policy has to be formal and massively detailed. Not true. People shouldn’t need a lot of specialist knowledge to understand your policies, particularly those aimed at ALL staff. Straight-forward instructions are more likely to be read, which means more people are likely to follow them.

Take a look at the way your policies are written. Are they a bit dry? If they could do with freshening up, here are some simple do’s and don’ts to consider:


  • use everyday words in place of jargon
  • explain any necessary terminology in plain English
  • break up blocks of text with headings, lists and tables
  • highlight key messages you want to get across
  • include useful tips
  • give useful examples tailored to your business
  • rope in your Comms or L&D team to help simplify things (or anyone who’s good with words)
  • cut out detail by linking to other related policies, guidelines, procedures
  • ask for feedback – how often do people use them? Do they find them helpful? What would make them better?


  • avoid complex language / legalese
  • avoid ‘insider’ jargon – why say ‘data subject’ if you could say people, individuals, customers, patients etc?
  • avoid cut-and-paste definitions from GDPR text – where you use data protection terms, such as controller, processor, third-party, anonymisation, automated decision-making explain what these mean in layman’s terms
  • Avoid information overload

Of course, balance is important. While overly complex policies will gather dust, we need to include enough useful and important information to get key messages across. We’re not talking about talking down to people or patronising them, either.

Of course, we also need to make sure people are aware of relevant policies and can easily lay their hands on them.

How to communicate data protection policies

I’d recommend you host policies on your Intranet, if you have one, and create them in the form of web pages rather than PDFs. It’s good practice to include hyperlinks to and from topic-specific guidance notes, so people can easily navigate to find more about a specific topic. This helps you to keep the parent policies short and concise – easy to digest.

When you carry out data protection training, remind people where to find related policies. In fact throughout the year use near-misses, news stories and other events to reinforce key messages and point to your policies.

Well-crafted easy to digest data protection related policies will go a long way to guide staff on how you expect them to handle and keep personal data secure in their day-to-day roles. But as always proportionality is key, a smaller business handling fairly insensitive data wouldn’t be expected to have multiple policies.

Data breaches – human or a catalogue of errors?

August 2023

Why systems fail

The recent spate of serious data breaches, not least the awful case involving the Police Service of Northern Ireland (PSNI), left me wondering: who’s really to blame? We’re used to hearing about human error, but is it too easy to point the finger?

Is it really the fault of the person who pressed the send button? An old adage comes to mind, ‘success has a thousand fathers, failure is an orphan.’

Of course, people make mistakes. Training, technology and procedures can easily fail if ignored, either wilfully or otherwise. Yes, people are part of the equation. But that’s what it is. An equation. There are usually other factors at play.

In the PSNI case – one involving safety-critical data – I would argue there’s a strong argument that any system allowing such unredacted material to enter an FOIA environment in the first place is flawed?

Nobody is immune from human error. About nine years ago, on my second day in a new compliance role, I left my rucksack on the train. Doh! Luckily, there was no personal data relating to my new employer inside. I lost my workplace starter pack and had to cancel my debit card. I recall the sinking feeling as my new boss said, ‘well, that’s a bit embarrassing for someone in your job’. It was. But I knew it could have been so much worse.

Approximately 80% of data breaches are classified by the Information Commissioner’s Office as being caused by human error. Common mistakes include:

  • Email containing personal data sent to the wrong recipients
  • Forwarding attachments containing personal data in error
  • Failing to notice hidden tabs or lines in spreadsheets which contain personal data (this is one of the causes cited in the PSNI case)
  • Sensitive mail going to the wrong postal address (yes, a properly old-fashioned dead wood data breach!)

However, sometimes I hear about human error breaches and don’t think ‘how did someone accidently do that?’ Instead, I wonder…

  • Why didn’t anyone spot the inherent risk of having ALL those records in an unprotected spreadsheet in the first place?
  • Why wasn’t there a system in place to prevent people being able to forget to blind copy email recipients?
  • Is anyone reviewing responses to Data Subject Access Requests or FOI requests? What level of supervision / QA exists in that organisation?
  • Why is it acceptable for someone to take confidential papers out of their office?

I could go on.

Technical and Organisational Measures (TOMs)

Rather than human error, should we be blaming a lack of appropriate technical and organisational measures (TOMs) to protect personal data? A fundamental data protection requirement.

We all know robust procedures and security measures can mitigate the risk of human error. A simple example – I know employees who receive an alert if they’re about to send an attachment containing personal data without a password.

Alongside this, data protection training is a must, but it should never be a ‘tick box’ exercise. It shouldn’t be a case of annual online training module completed; no further action required! We need to make sure training is relevant and effective and delivers key learning points and messages. Training should be reinforced with regular awareness campaigns. Using mistakes (big or small) as case studies are a good way to keep people alert to the risks. This is another reason why post-event investigation is so important as a lesson-learning exercise.

Rather than being a liability, if we arm people with enough knowledge they can become our greatest asset in preventing data breaches.

Chatting with my husband about this, he mentioned a boss once asking him to provide some highly sensitive information on a spreadsheet. Despite the seniority and insistence of the individual, my husband refused. He offered an alternative solution, with protecting people’s data at heart. Armed with enough knowledge, he knew what he had been asked to do was foolhardy.

Lessons from previous breaches

It’s too early to call what precisely led to these recent breaches:

  • The Police Service of Northern Ireland releasing a spreadsheet containing the details of 10,000 police officers and other staff public in response to a Freedom of Information Request
  • Norfolk and Suffolk Police accidentally releasing details of victims and witnesses of crime
  • Scottish genealogy website revealing thousands of adopted children’s names.

However, we can learn from previous breaches and the findings of previous ICO investigations.

You may recall the case of Heathrow Airport’s lost unencrypted memory stick. Although ostensibly a case of human error, the ICO established the Airport failed not only ‘to ensure that the personal data held on its network was properly secured’, but also failed to provide sufficient training in relation to data protection and information security. The person blamed for the breach was unaware the memory stick should have been encrypted in the first place.

Then there was the Cabinet Office breach in which people’s home addresses we published publicly in the New Year’s Honours list. The actual person who published the list must’ve had a nightmare, when they realised what had happened. But the ICO findings revealed a new IT system was rushed in and set up incorrectly. The procedure given for people to follow was incorrect. A tight deadline meant short-cuts were taken. The Cabinet Office was found to have been complacent.

The lesson here? Data breaches aren’t always solely the fault of the person pressing the ‘send’ button. Too often,  systems and procedures have already failed. Data protection is a mindset. A culture. Not an add-on. As the PSNI has sadly discovered, in the most awful of circumstances.

The impact breaches can have on employees, customers, victims of crime, patients and so on, can be devastating. Just the knowledge that their data is ‘out there’ can cause distress and worry.

Data protection law doesn’t spell out what businesses must do. To know where data protection risks lie, we need to know what personal data we have across the business and what it’s being used for.  Risks need to be assessed and managed. And the measures put in place need to be proportionate to the risk.

Data Protection Impact Assessments Guide

July 2023

A quick guide to managing DPIAs

This short guide to Data Protection Impact Assessments covers what a DPIA is and when it’s mandatory to conduct one under UK GDPR and EU GDPR. It also includes helpful tips on how to manage the process.

DPIAs not only help to protect people’s data, they also help to protect the business.

Privacy Notices Quick Guide

The right to be informed

All businesses need an external facing Privacy Notice, aka Privacy Policy, if collecting and handling people’s personal information.

Data protection law tells us we must provide people with easily accessible and specific privacy information when we collect their data. This guide sets out the key considerations and core requirements our Privacy Notices.

privacy notice guide from the data protection consultancy DPN - Data Protection Network

Top 10 Data Protection Tips for SMEs

January 2023

Is it onerous for SMEs to become compliant?

One of the stated aims of the UK Government’s Data Protection and Digital Information Bill is to support small businesses and remove unnecessary bureaucracy. 

As context, there are 5.6m businesses in UK of which SMEs (less than 250 employees) represents 99% of the total. According to IAPP research approximately 32,000 organisations in UK have a registered DPO. It’s right, therefore, to focus on SMEs. 

But how onerous is small business data protection now? Arguably, the answer is, not as onerous as you might think. We’ve created a top 10 checklist for start-ups and small businesses to help you decide what you should be concerned with: 

1.     Do I need to worry about data protection regulation? 

Yes. Pretty much any business processing personal data for commercial purposes need to worry about data protection. (It does not apply to purely ‘personal or household activity’). Having said that, the law and regulatory advice focuses on taking a ‘proportionate’ approach. There’s no one size fits all and it will depend on the risk appetite of your organisation. 

2.     Do I need a DPO?

Probably not. If the answer to these three questions is no, you don’t need a DPO…

  • Are you a public authority or body?
  • Do your core business activities require regular and systematic monitoring of individuals on a large scale?
  • Do your core business activities involve processing on a large scale ‘special category data’, or criminal convictions or offences data?

Even if you don’t need a DPO, it’s wise to nominate someone in your organisation as a data protection lead. This does not need to be a full-time role. Alternatively, you can outsource this activity to someone/a company who can provide the support on a part-time basis. 

3.     Do I need a RoPA (Record of Processing Activity)

Maybe. There’s no escaping the fact RoPAs are challenging documents to complete and can absorb a huge amount of time. Companies with more than 250 employees must always keep a RoPA – that’s just under 8,000 businesses in UK.

If you have less than 250 employees, you don’t need a RoPA if the following applies:

  • Processing does not pose a risk to the rights and freedoms of the data subject 
  • No special category data is being processed
  • If the processing is only done occasionally

The debate start when you consider what constitutes a ‘risk to the rights and freedom of the data subject’. It’s worth considering the type of data you handle rather than the volumes to help you decide whether to complete a RoPA. As a start up, you may not need a RoPA as defined in the legislation. However, having a record of what information is processed, for what purpose and under what lawful basis is a good idea even if the ICO RoPA form is not. 

There are changes afoot with regards to the RoPA under UK data reform plans, but a record of your activities may still be necessary, just not as current prescribed.

4.     Do I need to register with ICO?

Almost certainly YES. The ICO asks all businesses that process personal data to pay the Data Protection Fee. This is used to fund the ICO and its activities. This isn’t onerous. In fact, most small businesses will only have to pay £40 (or £35 with a direct debit). And that’s before you’ve considered whether you’re exempt. Not for profit status is a possible example. 

 5.     Do I need a privacy notice (policy)?

Yes. A privacy notice is a foundational piece of your data protection work. Any organisation which processes personal data needs to set out what data they are processing and how they are processing it as well as the data subject’s rights. The ICO’s checklist provides very clear guidance for what must be in a notice and what might be in a notice.

6.     How about a cookie notice?

Yes again. If you have a website, assume you need a cookie notice. Even if all you’re doing is using cookies to manage the performance of your website, a cookie notice is required. This does not need to cost money. You can get free software from the major privacy software providers. They have simple step by step set up guides. There is really no excuse not to have a cookie notice. 

7.     What about accountability?

Yes, but make it proportionate. In a nutshell, accountability means ‘evidencing your activities’. Keep a record of what you do, why you’re doing it and your decision-making. It also means making sure you have appropriate technical and organisational measures in place to protect personal data. Have staff been adequately trained in data protection? Do we have clear guidelines and/or policies to help them? 

8.     What about Individual Rights? 

Yes. Every individual has clear rights and irrespective of the size of the organisation you need to fulfil these requests. 

These rights include right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object and the right not to be subject to a decision based solely on automated processing.

Not all of these might apply to a small business but it’s important to decide how to recognise and respond to these requests from individuals. 

9.    Don’t forget information security

Yes. Cyber Essentials was designed for SMEs. Arguably it’s the absolute minimum for any business. It does cost money but not a lot. Gaining the Cyber Essentials certification (if self-certified) costs £300. The five technical controls are: 

  • Boundary firewalls and internet gateways
  • Secure configuration.
  • Access control.
  • Malware protection.
  • Patch management.

10.  What about International Data Transfers? 

Hopefully no! If you and your suppliers are only operating in UK and Europe stop reading now. However, if any data is exported to a third country (such as USA, South Africa or India), there’s no escaping the fact that international data transfers can be painful to work through. 

When EU-US Privacy Shield was invalidated in 2020 this caused significant problems for data transfers between US and EU/UK. At the time, Max Schrems’ advice was to only work with companies based in UK or Europe who are not exporting data to third countries. However, this isn’t always possible – just consider how many people use Google, Microsoft or Mailchimp. 

Many, if not most, businesses will have dealings with these three and the reality is that you must accept they’re not going to change anything for you, or choose not to use them. 


Many small and start-up businesses can get ready relatively quickly. The trick for small business data protection is to review your arrangements on a regular basis and be aware if any more complicated processing emerges. For instance, anything involving automated processing, special category data, AI or children’s data carries significant risk and should be treated with care. 

There’s more helpful information available on the ICO’s Small Business Hub.

Data Protection Basics: The 7 data protection principles

November 2022

Understanding the key principles of data protection

Let’s get back to basics. There are seven core principles which form the foundation of data protection law. Understanding and applying these principles is the cornerstone for good practice and key to complying with UK / EU GDPR.

Here’s our quick guide to the data protection principles.

1. Lawfulness, fairness and transparency

This principle covers 3 key areas.

a) Lawfulness – We must identify an appropriate ‘lawful basis’ for collecting and using personal data. In fact, we need to decide on a lawful basis for each task we use personal data for, and make sure we fulfil the specific conditions for that lawful basis. There are 6 lawful bases to choose from.

We need to take special care and look to meet additional requirements when using what’s termed ‘special category’ data or data which relates to minors or vulnerable people.

We should also be sure not do anything which is likely to contravene any other laws.

b) Fairness – We must only use people’s data only in ways that are fair. Don’t process data in a way which might be unexpected, discriminatory or misleading. This means evaluating any adverse affects on individuals.

c) Transparency – We must be clear, open and honest with people about how we use their personal information. Tell people what we’re going to do with their personal information. Routinely this is achieved by providing relevant privacy information at the point data is collected, and by publishing a complete and up to date privacy notice and making this easy to find. Transparency requirements apply right from the start, when we collect or receive people’s data.

2. Purpose limitation

This is all about only using personal details in the ways we told people they’d be used for. We must be clear about what our purposes for processing are and specify them in the privacy information we provide to individuals.

Sometimes we might want to use personal data for a new purpose. We may have a clear legal obligation to do it, but if not we should check the new purpose is compatible with the original purpose(s) we had for that data. If not, then we may need to secure the individual’s consent before going ahead.

Remember, if we surprise people, they ‘ll be more likely to complain.

3. Data minimisation

We must make sure the personal data we collect and use is:

  • Adequate – necessary for our stated purposes. Only collect the data we really need. Don’t collect and keep certain personal information ‘just in case’ it might be useful in future.
  • Relevant – relevant to that purpose; and
  • Limited to what is necessary – don’t use more data than we need for each specific purpose.

4. Accuracy

We should take ‘all reasonable steps’ to make sure the personal data we gather and hold is accurate, up-to-date and not misleading.

It’s good practice to use data validation tools when data is captured or re-used. For example, validate email addresses are in the right format, or verify postal addresses when these are captured online.

If we identify any of the personal information we hold is incorrect or misleading, we should take steps to correct or delete it promptly.

Data accuracy can decline over time. For example, people change their email address, move house, get married or divorced, their needs and interests change. And of course some people on your database may pass away. So we need to consider ways to keep our data updated and cleansed.

Perhaps find ways to give people the opportunity to check and update their personal details?

5. Storage limitation

Don’t be a hoarder! We must not keep personal data longer than necessary for the purposes we have specified.

Certain records need to be kept for a statutory length of time, such as employment data. But not all data processing has a statutory period. Where the retention period is not set by law, the organisation must set an appropriate data retention period for each purpose, which it can justify.

The ICO would expect us to have a data retention policy in place, with a schedule which states the standard retention period for each processing task. This is key step to making sure you can comply with this principle.

When the data is no longer necessary, we must destroy or anonymise it, unless there’s a compelling reason for us to keep it for longer. For example, when legal hold applies. For more information see our Data Retention Guidance.

6. Security

This is the ‘integrity and confidentiality’ principle of the GDPR – often known as the security principle. This requires organisations to make sure we have appropriate security measures in place to protect the personal data we hold.

UK / EU GDPR talks about ‘appropriate technical and organisational measures’ (known as TOMs). These includes things like physical and technical security measures, conducting information security risk analyses, having information security policies & standards in place to guide our staff.

Our approach to security should be proportionate to the risks involves. The ICO advises us to consider available technology and the costs of implementation when deciding what measures to take.

Some of the basics include transferring data securely, storing it securely, restricting access to only those who need it and authenticating approved data users.

Cyber Essentials or Cyber Plus can be helpful as an assurance framework to carry out a review of your data security arrangements.

Controllers should consider information security standards when appointing and managing relationships with processors, i.e. service providers handling personal data on your behalf to provide their services. Are your processors securely handling their processing of the data you control? Carry out appropriate due diligence to make sure.

7. Accountability

The accountability principle makes organisations responsible for complying with the UK / EU GDPR and says they must be able to evidence how they comply with the above principles.

This requires data governance across the organisation. Think of accountability as a collective responsibility, flowing from the Executive team and down through to the teams that process personal data.

To demonstrate how we comply, we need to have records in place. For many organisations this will include a Record of Processing Activities (RoPA).

The ICO provides a useful ‘Accountability Framework’ we can use to benchmark performance against their expectations.

In summary, identify the lawful bases you’re relying on and be fair and be open about what you do. Minimise the data you collect and make sure it remains accurate over time. Always keep it secure and don’t keep it for longer than you need it. Take care if you want to use personal data for a new purpose. Keep records and be ready to justify your approach.  The ICO has published more detailed guidance on the seven principles.

Privacy notices – the 8 deadly sins

August 2022

There are seven original sins, but Privacy Notices have eight!

Scary, eh? If we’re not careful, they can be like a radio advert where the voiceover person speaks really, really fast to mention stuff they’re obliged to say but assume nobody wants to hear.

Which is all very well, until a juicy complaint thunders into the ICO’s in-box and it transpires your privacy notice is written in legal hieroglyphics you need a PhD to understand.

The rules are clear and carved in tablets of stone (well, UK/EU GDPR) – the notice has to be ‘concise, transparent, intelligible and easily accessible form, using clear and plain language’. Also, you have to cover specific mandatory areas.

Recently, late on a Friday night, I found myself reading the privacy notice on a Tory leadership contender’s website. My rock’n’roll lifestyle, eh? Needless to say, it was rubbish. And these are the people passing data protection law?

Why should we care about our Privacy Notices?

Your privacy notice might be the loneliest, least-visited corner of your website. So why care about getting it right?

  • Done well it says, ‘we care about data protection’. It can increase people’s trust in your organisation – the more trust, the more likely people are to engage.
  • Remember, prospective clients and partners are likely to scrutinise your privacy notice as part of their due diligence. It’s definitely something I do for clients.
  • If you miss activities out, you may come a cropper when things go wrong. Your privacy notice is your ‘shop window’ for data protection matters and just like your customers, the ICO can take a peek whenever they want. For example even before GDPR, several charities found themselves in hot water for not telling people they carried out wealth screening.
  • The right to be informed is a legal requirement. The ICO says serious breaches of the right to be informed could leave you open to the highest tier of fines. Is it worth taking the risk?

With this in mind, here are my Eight Deadly Sins

1. Don’t copy someone else’s

There’s no harm in looking at how others do things, and how they’ve worded things. This is helpful, but resist the temptation to cut ‘n’ paste. They might have it wrong, they might have missed out core requirements and they might be doing things differently from you. And you don’t need to be much of a detective to work this one out when something goes wrong.

2. Don’t use a standard template…

… without taking the time to tailor it to what you actually do. For example, what do you use personal information for? You need to list the activities YOU do.

3. Don’t get a lawyer to write it…

… unless they have a flair for using down-to-earth, easy-to-understand language. Grab your best copywriter and get them involved.

4. Don’t quote the law

“As a data subject you have the right to obtain from us (the controller) confirmation as to whether or not personal data concerning you is being processed, and where this is the case, access to the personal data”.

Legal rubric is written for courts and lawyers. It isn’t meant to be ‘easy’ to understand (not on purpose, but because legal discourse has a specific context). This is not the case for your privacy notice, so as to the above paragraph, just NO!

(p.s. the same goes for your internal policies which you expect ALL staff to adhere to, don’t make them impossible to understand).

5. Don’t use GDPR jargon

Most people don’t know what processing, controller, processor, pseudonymisation and third-party mean. And why would they? Don’t force them to look up GDPR definitions to understand what you’re talking about (as this is unlikely to help either).

Don’t get me started on profiling – does your audience know what this means? It all sounds a bit ‘Silence of the Lambs’ if you ask me.

It’s better to clearly explain what you mean without using words which people either won’t understand or could be easily misunderstood.

6. Don’t leave out core requirements

There are specific areas we’re obliged to cover. The ICO has a clear checklist for this.

What routinely gets overlooked? In my experience:

  • The lawful bases relied upon. Tricky to drop in without sounding like legal speak. Using a table can help, or drop downs so those who want to delve into this detail can.
  • Legitimate interests – remember we’re told to tell people what our legitimate interests are.
  • The right to complain to the ICO.
  • Who personal information is shared with.
  • International data transfers.

7. Don’t leave it out because it’s too difficult to write down

There’s an art to explaining complex stuff simply, and this is one of those occasions where it pays to learn.

8. Don’t hide it

Sometimes I search high and low on websites to find the privacy notice. Why not just provide a link in the footer on every website page? And don’t make the font so small I have to scramble for my reading glasses (yes, my life really is that rock’n’roll). Privacy information shouldn’t be hard to find. Again, when something bad happens, do you really want someone alleging you were deliberately trying to hide it.

Clarity, being concise, using plain English – it’s obviously subjective

You know your customers better than anyone and you want to keep them. So reflect this in the way you present your privacy notices.

Try them out on your friends and colleagues who don’t work in your world. Do they understand them? Stress test, your notices before you publish them – and why not keep a note of that too? Demonstrating good faith and recording your decision-making is never a bad thing.

Let me know what does or doesn’t work for you – best practice is what we’re all about.

UK data reform plans revealed: a snapshot

June 2022

DCMS publishes response to data reform consultation

DPOs, Records of Processing Activities and DPIA requirements are all set to go under UK Data Reform plans, as the Government pushes ahead with it’s intention to require organisations to implement a Privacy Management Programme (PMP).

Plans also include changes to PECR (the UK’s Privacy and Electronic Communications Regulations) including permitting charities to use the soft opt-in and allowing analytics cookies without consent.

The Government has set out the detail of how it plans to reform the data protection landscape in its response to the Autumn consultation.

Key highlights

(This article is not intended to cover the wide-ranging detail of the plans. The full consultation response from the Government can be found here).


  • The Government plans to proceed with the requirement for organisations to implement Privacy Management Programmes (PMPs).
  • Organisations currently compliant with the UK GDPR will not need to significantly change their approach, unless they wish to ‘take advantage of the additional flexibility the new legislation will provide’.
  • Organisations will have to implement a PMP based on the ‘level’ of processing activities they’re engaged in and the volume and sensitivity of the personal data they handle.
  • The PMP requirement will be subject to the same sanctions as under the current regime.

Data Protection Officers

  • The requirement to designate a Data Protection Officer will be removed.
  • There will be a new requirement to appoint a senior individual responsible for data protection. It’s envisaged most of the tasks of a DPO will become ‘the ultimate responsibility of a designated senior individual to oversee as part of the privacy management programme.’

Data Protection Impact Assessments

  • Under the new PMP requirement, organisations will be required to identify and manage risks, but ‘they will be granted greater flexibility as to how to meet these requirements’.
  • There will no longer be a requirement to undertake DPIAs as prescribed by UK GDPR.  However, organisations will be required to make sure they have ‘risk assessment tools in place for the identification, assessment and mitigation of data protection risks across the organisation.’
  • Organisations will be able, if they wish, to continue to use DPIAs but can tailor them based on the nature of their processing activities.
  • Existing DPIAs will remain a valid way of achieving the new requirement.

Record of Processing Activities

  • Personal data inventories will be needed as part of organisation’s PMP, covering what and where personal data is held, why it has been collected and how sensitive it is.
  • Organisations will not have to stick to the prescribed requirements set out under Article 30, UK GDPR.

Reporting Data Breaches

  • No changes will be introduced to alter the threshold for reporting a data breach.
  • The Government will work with the ICO to explore the feasibility of clearer guidance for organisations.

Subject Access Requests

  • The Government plans to proceed with changing the current threshold for refusing or charging a fee for Subject Access Requests from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’. It is said this will bring it in line with the Freedom of Information regime.
  • The Government does not intend to re-introduce a nominal fee for processing access requests.

Alongside changes to the current regime under UK GDPR, the Government plans include amendments to PECR. Key intended changes include:


  • In the immediate term, the Government intends to permit cookies (and similar technologies) to be placed on a user’s device without explicit consent, ‘for a small number of other non-intrusive purposes’. It’s anticipated this will include analytics cookies which allow organisations to measure traffic to webpages and improve offerings to users.
  • It’s intended these changes will apply to connected technology, including apps on smartphones, tablets, smart TVs or other connected devices, as well as websites.
  • In the future, the Government intends to move to an ‘opt-out model of consent for cookies placed by websites’. The Government says its ambition is to improve the user experience and remove the need for ‘unnecessary’ cookie consent banners. It stresses an opt-out model would not apply to websites likely to be accessed by children (we’re assuming this means consent would be required) and its ambitions will be subject to an assessment that effective solutions are widely available for use.

Use of ‘soft opt-in’ extended

PECR fines to be increased

  • The Government plans to proceed with proposals to increase fines under PECR. This will allow the ICO to levy fines of up to £17.5m or 4% of a business’s global turnover.  This would bring fines in line with current fines under the existing regime.  Currently the maximum fine under PECR is capped at £500,000.

Political campaigning

  • The Government plans to consider further whether political communications should remain within the scope of PECR’s direct marketing rules (or be excluded).
  • It also intends to extend the soft opt-in so that ‘political parties and elected representatives can contact individuals who have previously shown an interest in the activities of the party (for example, by attending a conference or making a donation) without their explicit consent, provided they have been given an opportunity to refuse such communications at the point of providing their details’.

Human oversight of automated decision-making and profiling

  • The Government notes  the vast majority of respondents to the consultation opposed the proposal to remove Article 22.  The right to human review of automated decisions is considered a fundamental safeguard. It was confirmed this proposal will not be pursued.
  • The Government says it will be considering how to amend Article 22 to clarify the circumstances in which this must apply. It says it wants to align proposals in this area ‘with the broader approach to governing AI-powered automated decision-making’.  This will form part of an upcoming white paper on AI governance.

Legitimate Interests

  • The Government intends to create a limited list of defined processing activities where there would not be a requirement to conduct a balancing test for legitimate interests. This list will initially be limited to ‘carefully defined processing activities’.
  • This is likely to include processing activities to prevent crime, reporting safeguarding concerns or those which are necessary for important public interests reasons.
  • The Government proposes a new power to be able to update this list subject to parliamentary scrutiny.


A key concern is will UK data reform risk adequacy.  The European Commission has granted the UK adequacy, which allows for the free flow of personal data from the EEA to the UK, without the need for additional safeguards.  However, in granting adequacy the EC said it would keep it under review and if any significant changes were made it could revoke the decision.

The Government does not believe its plans risk this decision. The consultation response says; “the UK is firmly committed to maintaining high data protection standards – now and in the future”.

Response from the ICO

UK Commissioner, John Edwards says he shares and supports the ambition of these reforms.  In particular he says “I am pleased to see the government has taken our concerns about independence on board”.  You can read the ICO’s statement here.   The independence of the ICO was cited by Mr Edwards as an area which could jeopardise adequacy (in recent evidence he gave to the Science and Technology Committee).

What next?

We now await the detail of the Data Reform Bill, which will be subject to parliamentary scrutiny.  So still some way to go before the intended changes come into play.