The UK data protection reforms are on the horizon. Having left the EU on 31st January 2020, the government is now ‘free’ to introduce its own legislation, rather than being obliged to follow the laws decided in Brussels. Whilst much of the applicable EU law was transposed into UK domestic law on exit day, the UK has since indicated a desire to implement its own legal frameworks and, with this in mind, the government opened its consultation into the UK data protection reforms ‘Data: a new direction’ on 10th September 2021. This consultation closed on 19th November 2021, having run for 10 weeks and the government issued its updated response on 17th June 2022.
In its response, the government confirmed an ambition to “…establish the UK as the most attractive global data marketplace…” by reducing the burdens on businesses and delivering benefits for the economy, individuals and society as a whole.
What impact will the UK Data Protection Reforms have on the UK adequacy status?
Whilst this all sounds very positive, there are concerns that the UK are at risk of losing its adequacy status if it veers too far from the existing provisions of the GDPR and, as a result, this could negatively impact UK businesses that trade with organisations in the EU. However, the government has confirmed that it will retain the necessary standards to retain its adequacy status, highlighting that the law does not have to be exactly the same as the GDPR.
There is also a worry that any major changes to the present regime will cost businesses significant amounts of time and money in having to adjust to yet another set of rules. Many organisations found implementing the GDPR a costly exercise and cannot afford a repeat of this. However, the government has offered a degree of reassurance by confirming that organisations that already comply with the UK data protection law will comply with the new regime.
The government has released a 62-page document explaining its proposals, the detail of which is set out within five chapters, namely:
- Reducing barriers to responsible innovation.
- Reducing burdens on businesses and delivering better outcomes for people.
- Boosting trade and reducing barriers to data flows.
- Delivering better public services.
- Reform of the Information Commissioner’s Office.
The electronic document is easy to navigate with each of the above links taking you directly to that topic. It is also useful to know that there is a table at the end of the document, which lists all of the proposals, together with confirmation of the government’s next steps for each of them, using the following codes:
“A” means the government will proceed with this proposal
“B” means that the government is still considering this proposal.
“C” means that the government does not plan to proceed with this proposal.
Whilst all of the proposals are important, in this blog, we focus on some of the key areas that our readers are most likely to be interested in.
The government considered that the existing data protection legislation can hinder progress in scientific research and, in order to remove these barriers has decided to introduce numerous proposals including:
- Consolidate research provisions into a single chapter
- Create a statutory definition of scientific research
- Incorporate ‘broad consent’ for scientific research into legislation (i.e. move it from Recital 33 into the face of the legislation)
- adopt the European Commission’s test for anonymisation
- Introduce several measures relating to the use of artificial intelligence
- Introduce a limited list of processing activities for which no legitimate interest assessment will be required.
The last bullet point listed above will, no doubt, be of particular interest to almost all controllers. However, the list will be much narrower than initially proposed and is likely to be limited to processing activities that are conducted by controllers for the purposes of crime prevention or detection, reporting safeguarding concerns or other public interest-related issues.
The government wanted to address the concern that the data protection legislation can place a disproportionate burden on some organisations and identify ways of reducing this burden.
- Personal Data Breaches
The government sought views on whether the threshold for reporting personal data breaches to the ICO should be changed but, there were mixed responses, therefore, the government will not proceed with this proposal at the moment.
- Privacy Management Programmes (“PMPs”)
The outcome of the consultation revealed that organisations wanted a more flexible and risk-based framework that would allow them to use their resources more effectively. In view of this, the government plans to proceed with the requirement for organisations to implement PMPs. The government believes this approach will allow organisations to take a more proportionate approach such that those processing large volumes of high-risk or special category personal data will be required to implement the most robust practices.
- Data Protection Officers (“DPOs”)
Despite the majority of respondents disagreeing with the proposal to remove the requirement for DPOs, the government has decided to proceed with this. However, there will be a new requirement for organisations to appoint a senior member of staff who will take on most of a DPO’s responsibilities, oversee the PMP and ensure a data protection culture is embedded within the organisation.
- Data Protection Impact Assessments (“DPIAs”)
The majority of respondents were opposed to the proposal to remove the requirement to conduct DPIAs but the government, nonetheless, plans to proceed with this proposal. The justification for this is that under the new PMPs, organisations will still need to identify and manage risks.
The government also plans to proceed with the proposal to remove the mandatory requirement to consult with the ICO before conducting any high-risk processing and instead invite organisations to consult with the ICO on a voluntary basis.
- Record of Processing Activities (“ROPA”)
Most respondents objected to the proposal to remove the requirement to maintain a ROPA but, despite this, the government plans to proceed with this. By way of explanation, the government explains that organisations will need to have personal data inventories as part of their PMPs which will require organisations to document their processing but in a manner that is more suitable for each organisation.
- Subject Access Requests (“SARs”)
Of the proposals relating to SARs, the government has decided to change the test for refusing to process a SAR from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’ but will not introduce a nominal fee for SARs and will not introduce a costs ceiling such as that which applies to requests for information under the Freedom of Information Act.
- Privacy and Electronic Communications Regulations (“PECR”)
There were numerous proposals relating to the PECR and the key changes that the government has decided to implement are to:
- Remove the need for cookie banners
- Remove the requirement for consent to use analytics cookies
- Remove the requirement for prior consent to place cookies on a user’s device for a small number of non-intrusive purposes
- Extend the soft opt-in for direct marketing purposes to communications from political parties and non-commercial organisations
- Increase fines under the PECR to UK GDPR levels
The government has decided that risk assessments and proportionality are the most appropriate tools to apply when considering the adequacy status of a third country. With that in mind, the government has decided to create a new power for the DCMS Secretary of State to recognise alternative transfer mechanisms (ATMs), which will mean that ATMs will be introduced in due course.
However, the proposal that ‘reverse transfers’ be exempted will not be adopted and neither will the repetitive use of derogations for international transfers.
This section addresses concerns relating to the lawful bases that can be relied upon when delivering public services and, in particular when private organisations are engaged to help deliver those services. Of the proposals put forward, the government intends to proceed with the following:
- Extend the public service delivery powers under the Digital Economy Act 2017 to include businesses to enable more joined-up public services
- Introduce legislation to clarify which lawful grounds a private organisation can rely upon when asked by a public body to help deliver a public task
- Clarify the rules on processing biometric data in policing
- Align key terms that are used within the UK GDPR and Part 3 of the DPA 2018 (law enforcement purposes)
This section addresses the proposals relating to the duties and powers of the ICO. There was a long list of proposals, most of which the government has decided to proceed with. Of particular interest are that the government will introduce the following:
- A new statutory framework, setting out the ICO’s strategic objectives and duties
- Numerous new duties for the ICO
- An independent board and CEO for the ICO
- Key Performance Indicators for the ICO
- Requiring controllers to have a complaints handling process
- Criteria for the ICO to use to determine whether to pursue a complaint
Also, whilst this was not a proposal, the government has indicated that the ICO will change its name to reflect its new governance model. The ICO published a statement on 16 June 2022 in support of the ‘ambition’ of the reforms.
What does this mean for your organisation?
Whilst there are numerous proposals, none of them is so drastically different from the existing regime so as to place additional significant burdens on organisations, which will be a relief to businesses across the country. As mentioned above, the government has already stated that organisations will comply with the new regime if they are compliant with the UK’s current data protection framework.
These changes are not imminent and they are unlikely to happen in the near future. As such, there is nothing for you to do right away in relation to the government’s response to its consultation. If anything, making sure your organisation complies with current UK data protection legislation, will be the best approach right now.
Although there will be a period of adjustment once the changes take place, the ICO has indicated that it will focus on bringing certainty for businesses (by setting out what they expect from them) and for data subjects (by confirming what their rights are). Such guidance will, no doubt, be welcomed.
We will continue to maintain a watching brief on the government’s response and keep you updated on the changes outlined above.
As a specialist data protection consultancy, Evalian® is well placed to assist you with any queries you might have on the data protection implications based on the UK government’s proposed changes.
If you would like an informal conversation on how we can assist, please get in touch. We can steer you in the right direction or, if you need help, we can assist at every level to ensure that you are covered.