UK data reform plans revealed: a snapshot

June 2022

DCMS publishes response to data reform consultation

DPOs, Records of Processing Activities and DPIA requirements are all set to go under UK Data Reform plans, as the Government pushes ahead with it’s intention to require organisations to implement a Privacy Management Programme (PMP).

Plans also include changes to PECR (the UK’s Privacy and Electronic Communications Regulations) including permitting charities to use the soft opt-in and allowing analytics cookies without consent.

The Government has set out the detail of how it plans to reform the data protection landscape in its response to the Autumn consultation.

Key highlights

(This article is not intended to cover the wide-ranging detail of the plans. The full consultation response from the Government can be found here).

Accountability 

  • The Government plans to proceed with the requirement for organisations to implement Privacy Management Programmes (PMPs).
  • Organisations currently compliant with the UK GDPR will not need to significantly change their approach, unless they wish to ‘take advantage of the additional flexibility the new legislation will provide’.
  • Organisations will have to implement a PMP based on the ‘level’ of processing activities they’re engaged in and the volume and sensitivity of the personal data they handle.
  • The PMP requirement will be subject to the same sanctions as under the current regime.

Data Protection Officers

  • The requirement to designate a Data Protection Officer will be removed.
  • There will be a new requirement to appoint a senior individual responsible for data protection. It’s envisaged most of the tasks of a DPO will become ‘the ultimate responsibility of a designated senior individual to oversee as part of the privacy management programme.’

Data Protection Impact Assessments

  • Under the new PMP requirement, organisations will be required to identify and manage risks, but ‘they will be granted greater flexibility as to how to meet these requirements’.
  • There will no longer be a requirement to undertake DPIAs as prescribed by UK GDPR.  However, organisations will be required to make sure they have ‘risk assessment tools in place for the identification, assessment and mitigation of data protection risks across the organisation.’
  • Organisations will be able, if they wish, to continue to use DPIAs but can tailor them based on the nature of their processing activities.
  • Existing DPIAs will remain a valid way of achieving the new requirement.

Record of Processing Activities

  • Personal data inventories will be needed as part of organisation’s PMP, covering what and where personal data is held, why it has been collected and how sensitive it is.
  • Organisations will not have to stick to the prescribed requirements set out under Article 30, UK GDPR.

Reporting Data Breaches

  • No changes will be introduced to alter the threshold for reporting a data breach.
  • The Government will work with the ICO to explore the feasibility of clearer guidance for organisations.

Subject Access Requests

  • The Government plans to proceed with changing the current threshold for refusing or charging a fee for Subject Access Requests from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’. It is said this will bring it in line with the Freedom of Information regime.
  • The Government does not intend to re-introduce a nominal fee for processing access requests.

Alongside changes to the current regime under UK GDPR, the Government plans include amendments to PECR. Key intended changes include:

Cookies

  • In the immediate term, the Government intends to permit cookies (and similar technologies) to be placed on a user’s device without explicit consent, ‘for a small number of other non-intrusive purposes’. It’s anticipated this will include analytics cookies which allow organisations to measure traffic to webpages and improve offerings to users.
  • It’s intended these changes will apply to connected technology, including apps on smartphones, tablets, smart TVs or other connected devices, as well as websites.
  • In the future, the Government intends to move to an ‘opt-out model of consent for cookies placed by websites’. The Government says its ambition is to improve the user experience and remove the need for ‘unnecessary’ cookie consent banners. It stresses an opt-out model would not apply to websites likely to be accessed by children (we’re assuming this means consent would be required) and its ambitions will be subject to an assessment that effective solutions are widely available for use.

Use of ‘soft opt-in’ extended

PECR fines to be increased

  • The Government plans to proceed with proposals to increase fines under PECR. This will allow the ICO to levy fines of up to £17.5m or 4% of a business’s global turnover.  This would bring fines in line with current fines under the existing regime.  Currently the maximum fine under PECR is capped at £500,000.

Political campaigning

  • The Government plans to consider further whether political communications should remain within the scope of PECR’s direct marketing rules (or be excluded).
  • It also intends to extend the soft opt-in so that ‘political parties and elected representatives can contact individuals who have previously shown an interest in the activities of the party (for example, by attending a conference or making a donation) without their explicit consent, provided they have been given an opportunity to refuse such communications at the point of providing their details’.

Human oversight of automated decision-making and profiling

  • The Government notes  the vast majority of respondents to the consultation opposed the proposal to remove Article 22.  The right to human review of automated decisions is considered a fundamental safeguard. It was confirmed this proposal will not be pursued.
  • The Government says it will be considering how to amend Article 22 to clarify the circumstances in which this must apply. It says it wants to align proposals in this area ‘with the broader approach to governing AI-powered automated decision-making’.  This will form part of an upcoming white paper on AI governance.

Legitimate Interests

  • The Government intends to create a limited list of defined processing activities where there would not be a requirement to conduct a balancing test for legitimate interests. This list will initially be limited to ‘carefully defined processing activities’.
  • This is likely to include processing activities to prevent crime, reporting safeguarding concerns or those which are necessary for important public interests reasons.
  • The Government proposes a new power to be able to update this list subject to parliamentary scrutiny.

Adequacy

A key concern is will UK data reform risk adequacy.  The European Commission has granted the UK adequacy, which allows for the free flow of personal data from the EEA to the UK, without the need for additional safeguards.  However, in granting adequacy the EC said it would keep it under review and if any significant changes were made it could revoke the decision.

The Government does not believe its plans risk this decision. The consultation response says; “the UK is firmly committed to maintaining high data protection standards – now and in the future”.

Response from the ICO

UK Commissioner, John Edwards says he shares and supports the ambition of these reforms.  In particular he says “I am pleased to see the government has taken our concerns about independence on board”.  You can read the ICO’s statement here.   The independence of the ICO was cited by Mr Edwards as an area which could jeopardise adequacy (in recent evidence he gave to the Science and Technology Committee).

What next?

We now await the detail of the Data Reform Bill, which will be subject to parliamentary scrutiny.  So still some way to go before the intended changes come into play.

UK Data Reform – Quick Update

June 2022

A few nuggets gleaned...

UK data reform is on the way, but we don’t know the detail yet.  However a meeting of Parliament’s Science and Technology Committee this week, gave us a little insight.

Among others giving evidence were Julia Lopez, Minister of State for Media, Data and Digital Infrastructure and UK Information Commissioner, John Edwards.

Much was discussed in the two and half hour session, but here are a few highlights…

When will we learn more?

Lopez said the response to the Government’s Autumn 2021 consultation paper will be linked to the legislation. It will be published before or at the same time as the Data Reform Bill. She wouldn’t be drawn on whether this would be before Parliament’s Summer Recess (from 22 July).

What shape will the UK data reform legislation take?

We were told the Bill is being designed to build on existing legislation. Lopez said the aim was to improve on legislation inherited from the EU (GDPR), not to start with a blank piece of paper.

It was said this is being done intentionally to make sure there isn’t an additional cost and burden of people having to look at a whole new set of requirements.

Lopez stressed there shouldn’t be any concern the Government is diluting data protection standards.  She said, “the aim is for the legislation to provide greater clarity for organisations about what you can and can’t do.”

Is the role of DPO being removed?

Reading between the lines it looks like this requirement is going. Lopez reiterated the aim was to move to an ‘outcomes approach’ rather than a ‘tick box exercise’.

She said, “you wouldn’t necessarily need to have a Data Protection Officer, but you would need to have a Privacy Management Programme within your business or organisation, where you need to have proper accountability, proper reporting.”

Lopez said it was a lot to ask of small businesses to appoint a DPO, and it would be a more reasonable approach to appoint someone responsible for data protection.

(This does make me wonder whether the message has got through that GDPR never introduced a mandatory requirement for ALL businesses to have a DPO. Smaller businesses would not currently need to appoint a DPO unless the nature of their business or data they handle is particularly sensitive.

Will there be a DSAR fee?

The Minister wouldn’t be drawn on the proposal to reintroduce a small fee for data subject access requests. She said a careful balance was needed between easing the burden on businesses without diluting people’s rights.

Does reform risk EU adequacy?

Lopez said, “we are confident it will maintain adequacy”. She said the team at DCMS were in regular contact with their European counterparts, to make sure there were no surprises.

On this point John Edwards, also seemed relatively confident the reform would not risk the EU’s adequacy decision. (Which allows for the free flow of personal data from the EU to the UK without the requirement for additional safeguards).

He said, “viewed objectively there isn’t anything in the proposed reform, with a few tweaks, that can be demonstrably shown to not be essentially equivalent”.

However he did have a caveat…

“There are a few issues in the initial consultation proposal which I was concerned could risk adequacy. For example aspects of the proposal which could be seen as impinging on the Commissioner’s independence.”

Edwards said he agreed with his predecessor, Elizabeth Denham, that if those were carried through into legislation it could be taken by the European Commission as undermining a “fundamental aspect of the safe regulatory environment required to represent adequacy.”

He said there remained a couple of decisions the Government needed to take on this.

Separate to this, concerns are being raised by some that the Brexit Freedoms Bills and the Bill of Rights (replacing the Human Rights Act in the UK) also represent threats to UK adequacy.

Does automated decision-making need human review?

Edwards was asked about AI, automated decision-making and the right to human intervention. He said he would be concerned if the right to have human review of an automated decision was removed.

The DCMS is said to be looking closely at GDPR Article 22 and there’s a move to look at this ‘holistically’ and not just through the data protection lens.

Lopez stressed the importance of privacy, but also said, “we need to be mindful of the need to be economically competitive, to allow our scientists and innovators to have access to high quality datasets”.

“Whilst maintaining privacy and trust, we shouldn’t create fear in a way which undermines our businesses and scientists’ ability to innovate”.

That’s all for now folks. We’re on standby to check the detail of the consultation response and new Bill as and when it’s published.

Three Steps to Transparency Heaven

June 2022

A strategic approach to transparency

Transparency is enshrined in one of the key data protection principles: Principle (a): Lawfulness, fairness and transparency….

You must be clear, open and honest with people from the start about how you will use their personal data. 

There’s also a requirement to consider a data protection by design and default approach. To legitimately take this approach requires some planning and clear communication between teams about which data is used for what. 

It’s obvious that most companies can pull together a privacy notice. However, as with many things to do with GDPR, creating engaging communications which deliver the correct information in a digestible format appears easier said than done.

Recent fines related to lack of transparency

In May we saw a €4.2m fine for Uber by Italian Data Protection Authority (the Garante) for data protection violations. Amongst other things, the privacy notice was incorrect and incomplete whilst there were not enough details on the purposes of processing and the data subject’s rights had not been spelled out.  

Earlier this year, Klarna Bank AB was fined by the Swedish Data Protection Authority (IMY) for lack of transparency. 

Be warned, the regulators are taking a look at these documents.

Step 1: Creating your Privacy Notice

Privacy notices have become rather formulaic since 2018 and my colleague Phil wrote a handy checklist of what must and should be included. Take note and have a look to see if you have ticked all the boxes. 

Step 2: Housekeeping your Privacy Notice

The privacy notice is a dynamic document. Keeping it up to date is important. 

  • New data processing activities: Make sure you’re made aware of new technology, new teams, new business processes which may all generate new data processing activities that need to be notified. 
  • Record of Processing Activities: Create a routine to keep your RoPA up to date and that any changes are clearly flagged to the DP team.
  • Regulatory changes: Review any change in regulatory guidance. International data transfers are a perfect case in point where the guidance has changed. Changes may necessitate an update to your privacy notice.
  • Supplier due diligence: Review your supplier arrangements – are they carrying out new data processing activities which need to be captured in the notice. Are new suppliers in place and have they been audited/reviewed?
  • Marketing innovations: Ask your marketing team about their plans as digital marketing developments move at breakneck speed. The use of AI for targeting and segmentation, innovations in digital advertising as well as the evolution of social media platforms all present privacy challenges. In addition you may need to inform consumers of material changes. 

Step 3: Breathing life into your Privacy Notice

It’s a marketing challenge to get people to pay attention to the privacy notice.

  • Use different communication methods – not everyone likes reading long screeds of text. Look at creative communication methods such as infographics, videos, cartoons to get the message across. Channel 4 are an exemplar as are The Guardian.
  • Use plain English – whenever you write it down, make sure it’s couched in terms your target audience will understand. Various reports place average reading age as 8, 9 or 11. Plain English, short sentences, easy to understand words should be deployed to get your message across.
  • Include information tailored to different target audiences: Companies will sometimes carry out data processing for clients, for consumers and for employees. Trying to cram all this information into one document makes it nigh on impossible for anyone to understand what’s going on. Separate it out and clearly signal what’s relevant to each group.
  • Use layers of communication – the ICO advocates a layered approach to communicating complicated messages. If you create a thread through your messages from clear top-level headlines with clear links to additional information, there’s a higher chance of achieving better levels of comprehension.
  • Keep it short and sweet – having read some of the documents produced by corporates, I am struck by how repetitive they can be. Not only do you lose the will to live, but comprehension levels are low and confusion levels are high. All of which is rather unhelpful.
  • Be upfront and transparent – do not obfuscate and confuse your audience. Although it can feel scary to tell individuals what is happening with their personal data, audiences appreciate the openness when processing is explained clearly. They need to know what’s in it for them. 

Overall, this is a major marketing challenge. Explaining how you use personal data is an important branding project which allows a company to reflect their values and their respect for their customers.

The marketing teams need to get close to their privacy colleagues and use their formidable communication skills to make these important data messages resonate and make sense.

Four years on from GDPR, now is a good time to take a look at your privacy notice to see if it needs a refresh.

 

Data Retention Guide

Data retention tools, tips and templates

We know we shouldn’t keep personal data longer than we need it, but this is easier said than done.

Our in-depth data retention guide takes you through the key steps and considerations.  Where to start? When we are legally required to keep data? How to judge necessity? And more.

It make sense to get to grips with retention, keeping and using data has a cost.  Storage limitation is a core data protection principles and holding on to personal data longer than you should has its risks.

Whether you are starting out and reviewing your retention policy and schedules, we hope this guide will support your work.

DOWNLOAD YOUR COPY

The guide, first published in June 202o was developed and written by data protection specialists from a broad range of organisations and sectors.  A huge thank you to all those who made this guidance possible.

Making your RoPA work for your business

April 2022

Records of Processing Activities

Creating and maintaining Records of Processing Activities, is a core data protection obligation for many businesses, but it’s clear it’s an area many struggle with.

Our Privacy Pulse Report 2022 revealed this to be the top challenge facing DPOs and privacy teams.

It’s an area which was raised in the UK Government’s consultation on UK data law reform. Proposals included introducing a more flexible and proportionate approach to record keeping.

Currently, the level of detailed required under UK GDPR makes records time consuming to create. Maintaining these records over time as your business processing evolves requires resources and ongoing engagement from across the organisation.

However, even if the data reform proposals go through, it’s clear businesses won’t be able to rip up and disregard recording keeping activities.

Maintaining a central record of what personal data you hold, what it’s used for, where it’s stored, how its protected and who it’s shared with is a sensible and valuable asset for any organisation.

6 reasons why your RoPA should be a valuable asset

1. Risk awareness

Identifying and recording your business activities means you can fully understand the breadth and sensitivity of your data processing. This can help you to clearly identify where data protection risks lie, so you can establish priorities and fully get to grips with mitigating these risks.

2. Lawful processing

Confirming and recording which lawful bases you’re relying on for each processing task means you check you’re meeting the relevant conditions for this basis. Be it consent, contract, legitimate interests and so forth.

3. Personal data breaches

Your RoPA should be the ‘go to’ place if you suffer a breach. It can help you to identify what personal data may have been exposed and how sensitive that data is, who might be affected, which processors might be involved and so on. Helping you to make a rapid risk assessment (within 72 hours) and helping you make good decisions to mitigate risks from the breach.

4. Individual privacy rights

If you receive a Data Subject Access Request, your records can help to locate and access the specific data required to fulfil the request. If you receive an erasure request, you can quickly check your lawful basis for processing and see if the right applies.

5. Transparency

With good records in place, you can be confident you’ve identified all the types of activities which need to be covered in your privacy notice.

6. Suppliers (processors)

Logging all your processors can support you in keeping on top of supplier management including due diligence, contractual requirements and international data transfers.

While many may not find documentation and record keeping much fun. Try and sell the benefits, get key stakeholders on board and bake it in to your routine business activities.

Data Protection and the KISS principle

February 2022

Privacy Notices should be easy to understand, is the same true of our internal policies?

(Keep it Simple, Stupid)

GDPR made it a legal requirement for organisations to provide privacy information, using easy to understand language.

‘Concise, transparent, intelligible … clear and plain language’. (Article 12, GDPR)

Some have done a great job, others less so. And could we be better at using the same approach with our internal data protection-related policies?

Privacy Notices

This legal requirement to ‘keep it simple’ (my words) led some businesses to put a lot of time and effort into their Privacy Notices, especially in the run up to GDPR implementation back in 2018.

(By Privacy Notice, I mean the external information we provide to our customers about how we collect, handle and use their personal details. In the past, the term ‘Privacy Policy’ was used, and still is by some. But in essence it’s a notice to inform people, not a policy they have to abide by and agree to).

We were urged to remove legal language, use headings, a layered approach, ‘just-in time’ notices and so on. The ICO’s Right to be Informed Guidance provides some useful pointers on this.

It’s no easy task to balance the legal points we have to cover with the need to make our notices concise and easily understood.

After all, we need to cover how we collect people’s details, how we use them, lawful bases, retention, data sharing, international transfers, possibly profiling and more.

Yet, we need to explain all of this in a way typical users of our products and services can understand. The more complex an organisation’s activities, the more difficult this becomes.

This has led to some Privacy Notices becoming long and detailed, and not necessarily easier to understand.

Others, however, have been seriously creative. For example, using icons or short videos to make sure information is as easy as possible to take in.

This is great – external communications matter. It’s good practice, builds confidence and reflects well on an organisation’s approach to data protection.

Which brings me onto…

Internal data protection policies – our instructions to our people

Have we put the same effort into explaining our internal data protection policies to our people?

Surely, we want these to be concise, with clear and plain language too?

Too often policy documents are littered with legalise and jargon. Sometimes it feels like we think a policy can’t really be a policy unless its unduly formal and detailed.

Not true.

People shouldn’t need a degree of specialist knowledge to wade through policies, particularly those aimed at ALL staff.

I’m thinking here about policies such as a Data Protection Policy, which we would expect our people to read, reference and use.

I believe making them hard-work to read, can give data protection a bad name. Even worse, if errors are made, poorly drafted or overly complicated policies will reflect badly on an organisation. The same can be said of our internal procedures and guidelines.

How to refresh data protection policies

Take a look at the way your policies are written. Are they a bit dry? If they could do with a revamp, here are some simple do’s and don’ts to consider:

Do’s

    • use everyday words
    • explain any data protection terms in plain English
    • break up blocks of text with headings, lists and tables
    • highlight key messages you want to get across
    • include useful tips
    • put in examples tailored to your business
    • rope in your Comms or L&D team to help simplify things (or anyone who’s good with words)
    • cut out detail by linking to other related policies, guidelines, procedures
    • ask for feedback – how often do people use them? do they find them helpful? what would make them better?

Don’ts

    • complex language / legalese
    • ‘insider’ jargon – why say ‘data subject’ if you could say people, individuals, customers, patients etc?
    • cut-and-paste definitions from GDPR text
    • information overload

Of course, balance is important. While overly complex policies will gather dust, we need to include enough useful and important information to get key messages across. We’re not talking about talking down to people or patronising them, either.

I believe making policy documents as easy to understand as our external Privacy Notices should be, is a win-win approach.

Straight-forward instructions are more likely to be read, which means more people are likely to follow them. Of course, we also need to make sure people are aware of relevant policies and can easily lay their hands on them.

Need some inspiration?

Here are a few Privacy Notices I think work from a presentational point of view. Just don’t hold me to whether they’ve got everything covered or not!

BBC: Your information and Privacy – a layered approach, with lots of useful questions to help people find the detail they are looking for.

Amnesty International: Housekeeping – also a layered approach with icons, tables and ‘characters’ used to explain how data is collected and used.

Lego: Legal for Kids – a video with a ‘Captain Privacy’ Lego figure of course!

Are your records of processing up to scratch?

December 2021

5 top tips how to help you keep your RoPA accurate and up to date

Most people don’t find documentation and record keeping a great deal of fun. But nevertheless maintaining effective records of your data processing (often known as ‘Records of Processing Activities’ or RoPA) is an important obligation under data protection law.

These records helps us to keep track of what personal data is held within the organisation and what it’s used for.

The record keeping requirements under GDPR apply to both controllers and processors. These requirements include keeping records covering:

  • the categories of personal data held
  • the purposes of processing
  • any data sharing
  • retention periods
  • the technical and organisational measures used to protect the data…and more…

Even smaller organisations with less than 250 employees still have certain record keeping responsibilities, which should not be overlooked. But they may benefit from a limited exemption. Smaller organisations only need to document their processing which is:

  • not occasional (therefore all the frequent processing must still be documented);
  • or could result in a risk to the rights and freedoms of individuals;
  • or involve the processing of special categories of personal data or criminal conviction / offence data.

The specific requirements for record keeping are detailed and it’s an area many businesses have found challenging, especially keeping records up to date.

Our 5-step guide to keeping your data records complete and up-to-date

1. Why? – The need for accurate records

Creating your records of processing and keeping them updated is important. If records are allowed to become outdated you can quickly lose track of the breadth and depth of your processing. Resulting in to uncertainty when you most need it.

After all, if you don’t know about certain processing or hold any record of it, how can you possibly help the business to protect that data?

For example, your RoPA should be the first place to look if you suffer a data breach, helping you to identify;

  • the categories of individual
  • the sensitivity of the data
  • what purposes it’s used for
  • names of the internal data owners
  • data processors involved
  • who the data was shared with
  • what safeguards should have been in place to protect it… and so on…

It can also be helpful to reference your RoPA when handling individual rights requests.

If requested you might need to make your records available to the ICO, so you’d want to be sure they are in good shape. Allowing them to get out of date makes the job of getting them back into order all the more difficult.

2. Who? – Compile an up-to-date list of internal data owners

Firstly, it’s helpful to enlist the support of your Board, as you’ll need help from all business function heads and data ‘owners’ to tell you about their changes to processing and notify you of new data service providers . So you can to keep the RoPA refreshed over time.

Make sure you have a complete list of who is accountable for personal data processing within all your key business functions – the data owners. For example, Human Resources (employment & recruitment data), Sales & Marketing (customer / client data), Procurement (supplier data), Finance, and so on. Each accountable owner for these functions needs to understand their role in record keeping.

No DPO or data protection team can create and maintain the records their own – they need the support of others.

3. What? – Make sure you’re capturing all the right information

Check you’re capturing all the RoPA requirements. These are slightly different if you act as a controller or processor – or indeed both. If you need to check take look at the ICO’s guidance on documentation.

4. How? – Regular engagement with your stakeholders

Building a healthy two-way dialogue with data owners (and other stakeholders) is essential, not only for record keeping but many other data protection tasks. They will be best placed to tell you what data they hold, what it’s used for and what measures they use to protect it.

5. When? – New processing

There’s always some new system, processing activity or change of suppliers, isn’t there? You should aim to update your records whenever you identify new processing or changes to existing processing – including identifying when you need carry out a DPIA or LIA. Good stakeholder relations can really help with this.

I hope this short guide helps you to keep your own records up to scratch. I do find sharing the message about how helpful the RoPA can be if you suffer a data breach, or receive a data subject access request, can motivate others to support you with this important task. Good luck!

Privacy Management Programme – what does one look like?

October 2021

The concept is nothing new, but the term Privacy Management Programme (PMP) has been flung into the spotlight by the UK Government’s plans to reform data laws.

In a nutshell, the Government plans to revise the current accountability framework, replacing existing obligations (some of which are mandatory) with a requirement to implement a PMP.

It’s argued the current legislative framework ‘may be generating a significant and disproportionate administrative burden’ because it sets out detailed requirements organisations need to satisfy in order to demonstrate compliance.

The idea is a new ‘risked-based accountability framework’ will be introduced, requiring organisations to implement a PMP, but allow flexibility to internally tailor the programme to suit the organisation’s specific processing activities.

What is a Privacy Management Programme?

A PMP is a structured framework which supports organisations to meet their legal compliance obligations, the expectations of customers and clients, fulfil privacy rights, mitigate the risks of a data breach – and so forth.

Such a programme should recognise the value in taking an all-encompassing, holistic approach to data protection and privacy; embedding data protection principles and the concept of privacy by design and default.

Core components of a Privacy Management Programme

There are a number of PMP approaches and frameworks in existence. The UK Government has not yet elaborated on what they would expect a PMP to look like.

This top-level summary is broadly based on the IAPP’s Privacy Programme Management approach.

  • Governance

Organisations should develop and implement a suitable framework of management practices which make sure data is used properly and in line with organisational aims, laws and best practice. This should include adopting a privacy by design and by default approach; ensuring appropriate measures are in place to prevent unnecessary risks.

  • Assessments

Achieving clear oversight of the data held and processed, including any suppliers used to support business activities. Developing risk assessment tools which help to identify privacy risks and manage them effectively (e.g. Privacy Impact Assessments / Data Protection Impact Assessments).

  • Record-keeping

Mapping and maintaining an inventory of where personal data is, its purpose, how it is used and who it’s shared with.

  • Policies

Developing and implementing clear policies and procedures to guide staff and give them clear instructions about how personal data should be collected, used, stored, shared, protected and so on.

  • Training and awareness

Making sure adequate and appropriate training is conducted to give staff the knowledge and understanding they need to protect and handle data lawfully and in line with organisational expectations in their day-to-day roles. Making sure people are aware of how their organisation expects them to behave.

  • Privacy rights

Putting in place appropriate procedures to effectively and efficiently fulfil individual privacy rights requests, such as the right of access, erasure or objection.

  • Protecting personal information

Crucial to any PMP is protecting personal information. Working in conjunction with information security, a data protection by design approach would be expected – a proactive rather than reactive approach.

  • Data incident planning

Creating and developing data incident procedures and plans. Having appropriate methods to assess risk and potential impact, as well as understanding breach notification requirements.

  • Monitoring and auditing

Last, but by no means least no PMP would be complete without a methodology for tracking and benchmarking the programme’s performance.

What might change?

To many who’ve endeavoured to comply with the GDPR, all of the above will sound very familiar.

So, the Government isn’t proposing we do away with all the hard work already done. It’s planning a relaxation to some of the mandatory requirements; giving organisations more flexibility and control over how they implement certain elements of their programme.

On the one hand, this could be seen as a welcome move away from a ‘one-size fits all’ approach under UK GDPR, giving organisations more flexibility around how implement their privacy programmes to achieve desired outcomes.

On the other hand, there are fears the removal of mandatory requirements will lead to a watering down of the fundamental principle of accountability (a principle significantly bolstered under GDPR).