What would you change about GDPR?

Data reform in the UK is dead, well at least for the time-being, and possibly permanently. The announcement of a 4th July General Election means the DPDI Bill has been dropped.

The Bill was controversial. Some feared it would weaken data protection laws in the UK and risked the European Commission overturning the much valued ‘adequacy’ decision for the UK. Others welcomed a more flexible, business-friendly approach. Some saw it as mixed bag of good, bad and indifferent ideas, including changes seemingly made for the sake of demonstrating change.

The text of GDPR was finalised eight years ago. It’s spin-off the UK GDPR is pretty much the same as its EU counterpart and there are those in both the UK and EU who feel it may be time to update and refresh the legislation.

Here are some thoughts from data protection practitioners on nuggets in the DPDI Bill they wished had been passed, or an aspect of GDPR they would change if they could.

DPDI regrets

Fedelma Good, Data Protection and ePrivacy Specialist

Putting aside all the hours spent reading and assessing all the proposed changes, my biggest regret is that with the demise of the DPDI we will lose the harmonisation of language between the GDPR and the Privacy and Electronic Communications Regulations (PECR) as well as some of the common-sense changes which were being proposed in relation to analytic cookies. It’s sad too, to see that charities will not get the promised access to soft opt-in for their fund-raising activities. Additionally, I feel for the ICO where a huge amount of effort must have already been put into preparing for the proposed changes to their operating model.

Simon Blanchard, Data Protection Network Associates

I liked the concept of ‘recognised’ legitimate interests, where there would be an exemption from the requirement to conduct a Legitimate Interests Assessment in certain situations where there is a clear and compelling benefit – such as national security, public security, defence, emergencies, preventing crime and safeguarding.

Sachiko Scheuing, European Privacy Officer, Acxiom

The Bill proposed giving legal certainty to legitimate interest as a legal ground for the use of data for marketing purposes, by bringing the existing Recital 47 into the main articles. This would have been a welcome move.

Philippa Donn, Data Protection Network Associates

I supported the ‘vexatious and excessive requests’ DPDI proposal – allowing organisations to assess if a DSAR was intended to cause distress, made in bad faith or was an abuse of power. In my experience on occasion this right is exploited. If I’m allowed to dream? I’d advocate for leeway around the time organisations are given to respond to requests – at least a ‘pause the clock’ for bank holidays and Christmas! I think urgency is good, but making busy organisations rush a request is bad.

Ideas for data protection reform

Robert Bond, Senior Counsel, Privacy Partnerships Law

I would change Article 8 of the GDPR to make the protection of children and their personal data applicable to all controllers and not just those that supply information society services. Article 8 only impacts information society service providers in relation to the obtaining of consent of a child, but I feel the provision of any services to a child require a greater degree of compliance. The ICO’s Children’s Code is valuable, and more controllers need to be focused on the protection of the fundamental rights of the child.

Dominic Batchelor, Head of IP & Privacy, Royal Mail Group

I would update the types of data afforded special protection to reflect modern sensibilities better. Many people would be surprised that data revealing trade union membership, or veganism (if viewed as a philosophical belief), are more tightly regulated than financial data, and that specific parental oversight applies to children’s consent to processing for online services but not necessarily any processing of their data (and that even this control doesn’t apply over the age of 13).

Emma Butler, Creative Privacy

I would take the controller-processor obligations and accountability principle and merge them to create an accountability obligation on all organisations to achieve certain outcomes: the principles, risk assessment, rights, security, transfers and DP by design. All parties in a chain would be legally obliged to understand and determine (and put in a contract) who is doing what with what data, who has which obligations, and who has what liability to whom. Organisations could make arrangements based on facts rather than be shoehorned into a definition based on a legal fiction.

Claire Robson, Governance Director, Chartered Insurance Institute

I would like to see the reintroduction of the term “data controllers in common”. In practice, I found this to be a helpful description which differentiated those circumstances where two organisations held shared data but needed to retain independence of their processing. Without this distinction, I have found myself in many a complex conversation explaining why we are not entering into a joint data controller relationship!

Redouane Serroukh, Head of Information Governance and Risk / DPO, NHS Hertfordshire and West Essex ICB

I’d welcome clarity on the wording surrounding the right of access. Specifically, on its apparent purpose (‘to be aware of, and verify, the lawfulness of processing’, recital 63) and the ability to refuse a request if it is deemed to be ‘manifestly unfounded or excessive’, art 12(5). Why? Currently there is no requirement for a data subject to provide a reason or motive to make Subject Access Request and therefore makes it difficult for a data controller to confidently challenge a request or use the provisions above. While some guidance/interpretation exists, there appears to be a regulatory gap in the wording.

Mark Roebuck, Prove Privacy

The current regulation is not effective enough to ensure that the regulators are consistent in their approach to sanctions. For example, it is widely discussed on professional social media the UK’s ICO is ineffective in applying sanctions to UK organisations compared with other EU regulators. Article 63 provides for a ‘consistency mechanism’ but is itself only one paragraph long and provides no binding commitment on regulators to align enforcement.

So there you go! Some ideas from the coalface should data reform ever rear its head again, either in the UK or EU.