On 17th June 2022, following a consultation on reforms to UK data protection law, the Department for Digital, Culture, Media & Sport (DCMS) published its much-anticipated Data Reform Bill. As the UK government in a post-Brexit world, look to replace the General Data Protection Regulation (GDPR) previously described as “red tape and pointless paperwork”, their reform aims to “secure a pro-growth and trusted data regime” by helping to realise the benefits of the use of personal data and reduce burdens on business.
The reform proposes to provide a “clearer sense of how to determine access to and benefit from their own data” and outline changes to existing requirements including;
- Providing clarification and provisions for data processing for scientific research purposes,
- Adopting the Council of Europe’s test for anonymisation of data,
- Remove consent requirements for analytics cookies and a future plan for an ‘opt out’ model for all cookies,
- Aligning the PECR (regulations which sit alongside the GDPR and sets out more specific privacy rights on electronic communications including digital marketing), enforcement regime in line with the UK GDPR and DPA 2018 (including increasing the levy fines to up to £17.5m or 4% of global turnover),
- Extending “soft opt in”, which allows direct marketing by businesses where the personal details have been previously obtained in the context of the sale of a product or service, to communications by political parties and non-commercial organisations,
- Increase powers by the DCMS Secretary of State to assess adequacy for international data transfers and formally recognise alternative transfer mechanisms,
- Modernising the ICO; changes to the governance model, objectives and a refocus of statutory commitments.
Whilst there is still much to unpack from the recently published draft bill, we highlight the key proposed changes which may impact your compliance programmes, this includes;
- Introduction of privacy management programmes to take a risk-based approach to data privacy,
- Replace the requirement for a Data Protection Office (DPO) with a suitable senior individual overseeing part of the privacy management programme,
- Removal of the requirement to conduct a Data Privacy Impact Assessment (DPIA), instead implementing risk assessment tools to identify and manage risks,
- Removal of the requirement to maintain a record of processing activities, replacing it with a more flexible record keeping requirement,
- Replace mandatory requirements to consult the ICO about high-risk processing which cannot be mitigated, with voluntary prior consultation,
- Amend the threshold for refusing to respond or charging a reasonable fee for a subject access request from “manifestly unfounded or excessive” to “vexatious or excessive”,
- A limited list of legitimate interests will be created whereby a balancing test is not required. An example includes “processing of customer data for the purposes of installing security updates on a device”. By introducing a list of processing activities without having to carry out a test to balance the legitimate interests of the company and the rights and freedoms of data subjects, it aims to reduce time and effort for the assessment and remove the need to ask for consent (which organisations tend to fall back on when worried about incorrectly applying the balancing test).
One of the big questions that the Data Reform Bill does not address is how it may affect the European Commission’s (EC) adequacy decision which facilitates the free flow of personal data between the EEA and countries covered by an EC adequacy decision and UK. To avoid the risk of losing its adequacy decision, a careful balancing act is required to ensure any changes to UK data protection does not divert too far away from an “essentially equivalent” level of data protection to that which exists within the EU. If this balance is not achieved, this could put the UK in yet another battle with the EU.
Whilst it is unlikely the proposals within the Data Reform Bill will significantly change the way in which organisations currently manage their data protection compliance obligations, you may wish to consider how to best apply a privacy management programme that sufficiently manages and mitigates risk whilst promoting the responsible use of personal data.
If you would like to discuss support with your risk and privacy management processes, do reach out to book a free 30 minute consultation on email@example.com or call us on 0121 288 5227.
Sei-Ting Leung, Compliance Consultant