In our extensive guide to GDPR accountability, we explained useful ways in which organisations can demonstrate compliance with the accountability principle under the UK GDPR. As UK data protection law is in the process of being reformed, we take a look at how this will affect the accountability principle and the measures organisations need to implement in order to comply.
Recap – What is the accountability principle?
Before we explain the impact that the new data protection law will have on the accountability principle, a quick reminder of the obligations this principle places on organisations may be useful. Presently set out within Article 5(2) of the UK GDPR, the requirement is for controllers to be responsible for and demonstrate compliance with all of the data protection principles.
Therefore, controllers need to, not only comply with the principles but show that they comply. This means proving that they comply with evidence i.e. documented proof.
Will there still be an accountability principle under the new law?
The Data Protection and Digital Information (No.2) Bill retains the accountability principle and organisations will, therefore, still need to create and maintain documentation to prove that they are complying with the data protection legislation. However, as the obligations on organisations will change under the new law, so will the documentation required to comply with it. That said, the government has confirmed that if organisations are already complying with the existing regime, they will be compliant with the new data protection framework, when it comes into force, which suggests that organisations will not have to create a whole new set of documentation to demonstrate their compliance.
How will the accountability principle change under the new law?
The government has confirmed that it aims to “reduce burdens on organisations whilst maintaining high data protection standards” and “streamline the requirements the current legislation places on organisations to demonstrate how they are complying with the legislation”. Therefore, it should be easier for organisations to comply with the accountability principle, as the bureaucratic burden should be reduced. We look at a few examples to assess whether or not this is likely to be the case.
Record of Processing Activities (“ROPA”)
At the moment, organisations need to maintain a ROPA in accordance with Article 30 of the UK GDPR, unless they are exempt. The ROPA enables organisations to see all their processing activities set out within one document and helps them satisfy the accountability principle. However, this record-keeping requirement will be different under the new law, as it will only be necessary for processing which is likely to result in a high risk to the rights and freedoms of individuals. Therefore, organisations in the UK that are involved in processing personal data only for low-risk activities will not need to keep a ROPA.
Data Protection Impact Assessments (“DPIAs”)
Presently, it is a legal requirement under Article 35 of the UK GDPR for organisations to conduct DPIAs if the processing activities are likely to result in a high risk to the rights and freedoms of individuals but this requirement will “disappear” under the new law. However, organisations will still need to implement an “assessment of high-risk processing” which appears to suggest that, in practical terms, this may only amount to a name change, as “high-risk” processing activities will still need to be assessed.
Data Protection Officers (“DPOs”)
Article 37 of the UK GDPR requires organisations to appoint a DPO in certain circumstances. However, this obligation is removed under the new UK law and, instead, organisations need a “senior responsible individual” (SRI). In reality, where the former DPO is in a senior management position, they are likely going to be the most suitable person for the role, bearing in mind that organisations still need to be confident that they have someone in post who is knowledgeable and experienced enough to advise and guide them in their personal data processing activities. For organisations that do not currently have a DPO in a senior management position, it may not be as straightforward as to who this individual should be, however, the SRI is able to delegate their tasks to others to ensure their SRI duties are carried out and this may include outsourcing to external providers.
Nevertheless, organisations that legally require a DPO under the EU GDPR, will still need a DPO.
When will the new UK data protection law come into force?
The new bill (bill no2) was laid in Parliament on 8th March 2023 and, having proceeded through the House of Commons, it is now in the House of Lords. It had its first reading on 6th Dec 2023 and its second reading on 19th Dec 2023. It is now at the Committee stage with a date yet to be announced. It is, therefore, proceeding quite quickly through the legislative process and there is an expectation that it will complete the process at some point during the spring of 2024. Indeed, a general election is expected in late 2024, so the new bill would need to be passed before then.
What should organisations do now?
Depending on where you are with your compliance journey, you’ll be pleased to learn that there are no immediate actions to take at this stage if you already have a robust data protection compliance framework in place, bearing in mind the government has confirmed that if organisations are compliant with the existing law, they will be compliant with the new law. However, once the reforms are finalised and enacted, organisations would be prudent to review the new requirements to assess what changes they should make to ensure they are ready for when the new law becomes enforceable. However, there will be a reasonable period of adjustment to allow for this. Should you need any assistance we would be glad to hear from you.