UK data reform – key proposals
Data Protection and Digital Information Bill – what might be on the cards?
I was beginning to think the planned changes to data protection law may slip by the wayside, but with the Data Protection and Digital Information Bill (DPDI) being included in this month’s King’s Speech, there may be a concerted drive to try and get the Bill passed into law before the next election. It seems a good time to remind ourselves what might be in store.
The Government’s stated aim in reforming UK data laws is to ease the burden on businesses, particularly smaller ones. GDPR is perceived by some to be overly burdensome, onerous, and at times a ‘box-ticking’ exercise.
What’s proposed and what might these changes mean in practice?
Firstly, in our opinion here at the DPN there’s nothing massively radical about the DPDI Bill. The core data protection principles, individual privacy rights and controller/processor obligations will remain the same. Yes, there’ll still be a need for detailed contracts between clients and their suppliers. Data protection and our suppliers
For many large organisations which operate across EU / global markets, as well as the UK, it could be mostly business as usual with EU GDPR remaining the benchmark.
There’s unlikely to be a huge impact on most small to medium sized businesses whose processing is not particularly large scale or sensitive. Existing law already provides extra flexibility for these SMEs, for example they may not need to appoint a Data Protection Officer, or to create and maintain a Record of Processing Activities.
For others depending on their size, nature of their business and operational structural, it may necessitate changes and potential efficiencies.
Remember, nothing is set in stone yet!
8 key data reform points
The Bill is over 200 pages long, so we’ve selected some broad top-level points, summarising what’s proposed and our take on these potential changes.
1. Record keeping & Records of Processing Activities (RoPA)
Currently organisations (both controllers and processors) are required to keep a RoPA, however there’s a limited exemption for organisations with less than 250 employees where the processing is not high risk and does not involve special category or criminal convictions data. The UK’s Information Commissioner’s office has a published template covering the requirements for what information should be included in a RoPA.
The requirement to have a RoPA as stipulated under GDPR will be removed. Organisations which carry out ‘high risk’ processing would be required to keep ‘appropriate records’. Other organisations would still be under an accountability obligation to make sure appropriate measures are in place to comply with data protection law and protect personal data.
Our take on scrapping the RoPA requirement
A RoPA is a valuable business asset, to identify and keep track of what data you have and where, what it’s used for, your lawful basis, any international data transfers and so on. It’s fundamental to many other data protection processes. It can prove invaluable in getting to grips with the full scope of your processing, identifying data risks, assisting with transparency requirements (e.g. privacy notices), fulfilling individual privacy rights requests and handling data breaches.
However, we know from DPN audience surveys creating and maintaining a RoPA can be a real headache for organisations. Many say their current records don’t fully meet GDPR requirements or ICO expectations. For some businesses, creating the RoPA can lead to duplication of effort and many businesses have taken a risk-based approach, focusing on their main risk areas.
We wouldn’t recommend ditching any hard work you may have already done to create your RoPA, because you can still gain benefit from it. If your RoPA isn’t complete, this new Bill could take the pressure off somewhat. For smaller businesses (below the RoPA threshold) we would recommend keeping some form of ‘basic’ record of your activities, in line with the new Bill.
2. Data Protection Risk Assessments
Currently organisations are required to conduct a Data Protection Impact Assessment (DPIA) for ‘high-risk’ processing activities. The ICO and many EU regulators provide a list of examples of when a DPIA must be conducted (and when it might be a good idea). UK/EU GDPR sets out what criteria should be included in these assessments.
The specific requirements relating to a DPIA will be removed. Organisations will need to conduct risk assessments for ‘high risk’ processing, but will have more flexibility and won’t be tied to specific DPIA requirements or templates.
Our take on scrapping DPIAs
Increased flexibility for organisations regarding when and how they conduct risk assessments should be welcomed. However, if you currently have an effective risk screening process and DPIA template which works for your organisation, and many do, you may decide there’s no reason to ‘fix something that’s not broken’. Also, don’t forget you may still be under an obligation to conduct DPIAs if subject to EU GDPR.
DPIAs are a well-established method to identify and mitigate privacy risks prior to the launch of any project involving personal data. We recognise some organisations may choose to benefit from this new flexibility and look for efficiencies by adopting a streamlined and perhaps bespoke process for risk assessments.
3. Senior Responsible Individual for data protection
Currently some (but certainly not all) organisations fall within the mandatory requirement to appoint a Data Protection Officer. Others have voluntarily chosen to appoint one. It’s worth noting a DPO’s position within the business, responsibilities and tasks are mandated under UK GDPR.
It’s proposed the requirement to appoint a DPO will be scrapped. Public authorities and other organisations carrying out ‘high risk’ processing will be required to appoint a Senior Responsible Individual (SRI) – someone accountable in the business for data protection compliance. This individual must be a member of senior management.
The proposed changes are also likely to impact on what ‘accountability’ looks like, and what businesses would be expected to have in place to demonstrate their compliance with data protection law. Currently the ICO has a detailed accountability framework. We understand a new ‘risked-based accountability framework’ will be introduced, requiring organisations to have in place a Privacy Management Programme, with flexibility to tailor this to suit the scale and nature of the organisation’s specific processing activities. It’s thought likely any existing accountability measures in place to comply with GDPR would not have to be changed.
Our take DPO requirement changes
There’s been plenty of confusion about which organisations are required to appoint a DPO. Some businesses have felt they needed to appoint one when in fact they didn’t need to. Others have appointed DPOs virtually in name only, without fully appreciating the legal obligations relating to the role. DPO myth buster
This change will give businesses more flexibility, but equally it could muddy the waters and potentially lead to conflicts of interest. More clarification is needed on exactly how this role should operate, in comparison to the current DPO role.
For us, it currently raises more questions than answers. For example, what happens to existing DPOs who report into senior management, but act independently? Will a Senior Responsible Individual be able to delegate tasks to an external DPO? And not forgetting those organisations who need to keep a DPO to comply with EU GDPR, will they need an SRI as well?
4. Vexatious Data Subject Access Requests
Currently requests under the Right of Access (aka DSARs/SARs) can be refused, in part or in full, if there are judged to be ‘manifestly unfounded’ or ‘manifestly excessive’.
A concept of ‘vexatious or excessive’ will replace ‘manifestly unfounded or excessive’. Controllers will be permitted to take into account whether a request is intended to cause distress, is made in bad faith or is an abuse of power.
Our take on vexatious DSARs
Anecdotally we know of many cases where DSARs are being ‘weaponised’; not submitted to benefit the individual, but used primarily as a means to cause problems for an organisation. We welcome changes giving businesses increased grounds to decline inappropriate requests, where it’s clear the individual is not genuinely making the request because they want copy of their personal data. DPN DSAR Guide
5. Recognised Legitimate Interests
Currently organisations can rely on the lawful basis of legitimate interests when the processing is considered to be necessary and balanced against the interests, rights and freedoms of individuals. There’s a requirement to conduct a balancing test; a Legitimate Interests Assessment (LIA).
The concept of ‘recognised’ legitimate interests is planned, where there will be an exemption from the requirement to conduct a balancing test (LIA) in certain situations. These ‘recognised’ legitimate interests cover purposes such as national security, public security, defence, emergencies, preventing crime, safeguarding and democratic engagement.
The Bill also includes other examples where legitimate interests could be appropriate, but would require a balancing test. Examples include; direct marketing, intra-group transmission for admin purposes and security of network and information systems (although we are a little surprised the latter didn’t make it onto the list of recognised legitimate interests).
Our take on ‘recognised’ legitimate interests
We welcome this change, as it makes sense to reduce the paperwork required for activities which are straight-forward or very clearly in the interests of both the organisation and individuals.
The fact direct marketing may carried out as a legitimate interest is not new. This is already in GDPR Recital 47; but this is reinforced by its presence in the Bill. This is a welcome clarification, but we would caution under the UK’s Privacy and Electronic Communications Regulations (PECR) there will still be certain circumstances where consent is required. GDPR and PECR
6. Extension of the ‘soft-opt-in’ exemption under PECR for charities & other not-for-profits
Currently under PECR it’s a requirement to have consent to send electronic marketing, for example email or text marketing messages, unless you can rely on and meet the requirements of the so-called ‘soft opt-in’ exemption. This exemption is only available where the data is used for commercial purposes. It’s use by charities is very limited to the context of a sale, for example selling goods in a charity shop, and can’t, for example, be used in the context of donations.
The soft opt-in exemption will be extended to non-commercial organisations, covering where the direct marketing is:
- solely for the purpose of furthering charitable, political or other non-commercial objectives (i.e. including donations!)
- where the contact details have been obtained during the course of a recipient expressing an interest or providing support, and
- where the recipient is given a clear and simple means of objecting to direct marketing at the point their details were collected, and in every subsequent communication.
Our take on extending use of soft opt-in
We welcome the move to allow charities to take advantage of an exemption which has been available for commercial purposes for years. Clearly, it will be for each charity to decide whether they stick with consent or change to soft opt-in. It can only be used going forward – it’s not an opportunity to re-contact those who didn’t give consent or opted-out in the past!
Charities will have to carefully think through the pros and cons of moving to soft opt-in and would be wise to check if their CRM systems could store multiple permission statuses for legacy data alongside new data gathered under soft opt-in. What could the marketing soft opt-in mean for charities?
7. Cookies and similar technologies
Currently informed consent is required under PECR for all cookies and similar technologies deployed onto a user’s device. There is a limited exemption for ‘strictly necessary’ cookies.
There are provisions to expand the categories of cookies which don’t require consent, for example website analytics. There’s also a desire to reduce or eliminant the need for cookie pop-ups but it’s not yet clear how exactly this will be achieved.
Our take on cookies
Many businesses would welcome easing the existing requirements, although we anticipate few websites will, in reality, be able to compliantly get rid of cookie banners, unless radical changes are made! We look forward to clarification on exactly how the proposed changes might work in practice to benefit businesses and the public.
8. Increased fines under PECR
Currently, fines for violations under UK PECR are capped at £500,000.
Bringing the level of maximum fines in line with UK GDPR, meaning the ICO could issue fines of up to circa £17 million, or 4% of a business’s global turnover.
Our take on increased PECR fines
The ICO tends to take a proportionate approach to enforcement, and we envisage substantial fines would be reserved for spammers and rogue telemarketing businesses who flagrantly disregard the rules. If this goes some way to deterring bad operators and protecting the public, this could be a good thing.
Other DPDI Bill points worth noting
The Bill includes specific changes in relation to using personal data for scientific research, and what qualifies as scientific research. (This area could be an article in itself!)
International data transfers
The Bill doesn’t propose any significant changes to the international data transfer regime. It makes it clear mechanisms entered into before the Bill takes effect will continue to be valid. At last, some welcome news for all those grappling with the UK ITDA or the EU’s SCC with UK addendum! International Data Transfers Guide
The Information Commissioner’s Office’s (ICO) name could be set to change to the Information Commission. It will act as an independent body, with plans for new reporting obligations to the Government. It’s intended there will be more government oversight of the Commission.
In summary, the above just touches on key proposals, as said, it’s a very lengthy document! In our view the UK’s Data Protection and Digital Information Bill marks a significant but not giant step away from GDPR. There are good reasons why the Government is keen not to diverge too far. It does not want to risk the current European Commission ‘adequacy decision’ for the UK being overturned.
This adequacy decision allows for the free flow of personal data between the EU and UK, and there could be a signifiant negative impact for many businesses if UK adequacy is revoked. We don’t know yet if the European Commission will view the Bill as a step too far.
It remains to be seen if the Bill can progress quickly enough to pass into law before the next election. If it fails to pass before a general election, it is not known if a new Government would be so keen to press on with the proposed reforms.