August 11, 2022
With the arrival of the digital information bill, you might be thinking - more data protection?! How can it be? This sector is poppin’ right now, and we’re here to give you the latest. Strap in, this one’s a good’un.
The Government has recently introduced a new Data Protection and Digital Information Bill to Parliament, following publication of the government’s response to the Data: a New Direction consultation.
It is important to note that this isn’t law yet – and may never become law, either in its current form or perhaps at all – so this isn’t news you necessarily want to start acting on right now. However, if the bill becomes law, there would be a fair few changes to the requirements on UK organisations, and it never hurts to be in the loop.
For organisations that operate across the UK and the EU, or UK businesses that target EU customers, rather than “removing red tape” (which is one of the given reasons for the bill), the changes may actually complicate things by requiring compliance with multiple different legal regimes.. Our DP team are just itching to dive in!
As with most legislation, the bill isn’t exactly a light holiday read. We’ve therefore put together a quick summary of a few of the key changes so you don’t have to trawl through the whole thing. The draft bill includes changes to:
Let’s break it down into bite-sized chunks (with chocolate chips)…
There is a new section of the Data Protection Act 2018 proposed by the bill, which would limit the definition of “personal data” to information identifiable by the controller or processor by reasonable means at the time of processing, or where the controller/processor ought to know that someone else will likely obtain the information due to the processing, and the individual would likely be identifiable to them by reasonable means at the time of processing.
Currently only “strictly necessary” cookies can be used without obtaining express consent from website/app users. The proposed changes would remove the need for cookie consent banners for “low-risk” activities, such as audience measurement. The government reckons this will make it easier for businesses to use information to improve their services, and it would certainly make a lot of marketing teams a lot happier!
However, the cookie consent rules in the EU will remain the same – so if your website is targeting individuals in the EU, you’ll still need the same cookie consent banners for them as before. This means you may as well use it for the UK too to save complications. A slightly less exciting prospect!
The bill aims to introduce a list of legitimate interests (one of the grounds on which organisations can process personal data) for which organisations are not required to conduct a legitimate interest assessment. You will still need to identify the legitimate interest, and establish that the processing is “necessary” for the legitimate interest identified, but not balance it against the interests of the individuals – i.e. you would still need to do parts 1 and 2 of the current test, just not part 3. The proposed list of “recognised legitimate interests” is quite short and specific, but could be added to in future by the Secretary of State.
No, the UK GDPR fines aren’t getting any higher. However, the maximum fines under the Privacy and Electronic Communications Regulations (PECR) would be increased so that they match the fines under the UK GDPR and Data Protection Act 2018. PECR sets down the rules for direct marketing – i.e. it deals with things like unsolicited marketing calls and emails.
Come fly with me, let’s transfer data away…
The potential changes include a risk-based approach for the transfer of personal data outside the UK. We’ll be honest, this doesn’t sound a whole lot different from the existing way of doing things. The main change is that the required standard of protection is “not materially lower” than the UK, whereas the GDPR requires an “adequate” level of protection, which is interpreted as “essentially equivalent”.
Instead of a Data Protection Impact Assessment, businesses will need to conduct an “assessment of high risk processing”. However, at the moment it sounds likely this will be very similar to conducting a DPIA in practice, so we’ll have to wait and see whether the idea develops!
The test for whether you can refuse to comply with a Subject Access Request is currently whether it is “manifestly unfounded or excessive”. The new test would be whether the request is “vexatious or excessive”. This doesn’t initially sound very different, but it depends on how the term “vexatious” is interpreted.
Who is currently in charge of data protection compliance for your business? It might be a Data Protection Officer (DPO), who reports into the senior management team. Under the proposed rules, there would be no requirement for any organisation to appoint a DPO. Instead, where the organisation is carrying out high risk processing they would be required to designate a “senior responsible individual”. This individual must be part of the senior management team, and the obligations on them are similar to the current DPO requirements.
In the event this change occurs, it is possible that some organisations may promote their DPOs to be part of the senior management team. However, we anticipate that companies may prefer to appoint one of their existing senior management team as the “senior responsible individual” and delegate their duties to whoever currently deals with data protection (e.g. the existing DPO). This makes more sense particularly for organisations which include companies in EU countries, as the role of DPO under the GDPR requires the DPO to report to, rather than be part of, the organisation’s senior management.
Currently, businesses based outside the UK without an “establishment” here, but who are targeting UK individuals with goods/services or tracking UK individuals, need to appoint a UK representative. The aim of this is to ensure that there is someone within the UK who can be contacted by the ICO and by individuals, rather than relying on getting hold of an overseas business. However, the bill would do away with this requirement. (Again, the equivalent requirement for the EU remains)
Currently the Information Commissioner is an individual and everyone working at the ICO is doing so on behalf of the Information Commissioner. As part of the reforms, the Information Commissioner’s Office would change its name to the Information Commission, and will become a body corporate. However, there would also be more oversight by the Secretary of State, meaning that the IC would be open to influence by politicians to a greater degree.
The bill is currently passing through the House of Commons, and is set to be put through its paces in a second reading on 5th September 2022. Don’t make any decisions based on it yet, as we don’t know what will make it into the final law. We’ll keep an eye on events as they play out, but make sure to check back in for more from us soon!
In need of some help with your data protection management? Get in touch with our team of data protection experts.