Following the UK’s departure from the EU, the UK Government’s Department for Digital, Culture, Media and Sport (DCMS) launched a consultation on September 10th this year to outline its proposals for reforming the UK’s data protection legal framework and regulatory regime. The UK’s data protection framework was significantly last updated in 2018 when the General Data Protection Regulation (GDPR) and Data Protection Act took effect, replacing laws that had been in force for two decades.
The consultation was announced in August with the stated goal of “developing a world-leading data policy that will deliver a Brexit dividend for individuals and businesses across the UK”. The paper includes an extensive set of proposed amendments to the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations (PECR) in what could potentially see an overhaul in the existing UK data protection regime.
In this blog we will outline some of the key proposals that should be noted by businesses, and highlight the potential challenges that could arise, should these proposals come into force.
What is changing?
Well nothing, just yet. The consultation period is the first step in a considered process in delivering the UK government’s National Data Strategy to secure, what the UK government intends, is a pro-growth, innovative and trusted data regime. The published proposal paper has been released and is open to the public to review and comment on. The document contains over 70 proposals over 142 pages, so with that in mind, we will provide you with an overview of the contents of the consultation paper.
In general, the UK government’s aim is to steer the UK away from some of the standards that apply under the European General Data Protection Regulation (EU GDPR) and ease the rules on the more binding standards under the UK GDPR.
Further, the UK government plans to reduce the burden on the ICO in investigating grievances, with an emphasis on companies aiming to resolve issues with the data controller (the organisation that determines the purpose and means of personal data processing) prior to filing with the ICO, in order to focus on complaints that carry a more significant risk of harm to individuals.
The consultation also considers how the new standards can help alleviate risks and concerns that result from algorithmic bias. This follows a move from the EU who are already setting legislation in motion with their Artificial Intelligence Regulations. These draft regulations are part of a wider EU drive to ensure the development and control of AI as ethical and trustworthy.
The proposals focusing on the legal conditions are, for the majority, clarifications in order to help companies establish the legal basis for processing, whilst others are aligned with the aim of plans to make the UK’s data regime “even more ambitious, pro-growth and innovation-friendly”.
The plethora of proposals within the document fall into five objectives, we’ve highlighted a few key takeaways within each:
1. Reducing barriers to responsible innovation
The new regime seeks to provide greater clarification in legislation to offer guidance and support in applying the rules, in turn helping innovators achieve their goals in ground-breaking data-enabled products.
It proposes that the requirement for human oversight in relation to automated decision-making be removed and automated decision-making would be permitted where one of the lawful grounds of processing under Article 6(1) are met.
Another important key point within this objective is the proposal of a clearer test to establish when data will be regarded as anonymous which can in certain circumstances be a complex task. As such, bringing clarity to such assessment will be welcomed by organisations looking to anonymise data sets in order to avoid the risks associated with using personal data.
2. Reducing burdens on businesses and delivering better outcomes for people
The government plans to steer the UK’s data protection regime in a direction away from simply being what is considered a “box-ticking regime” that places unnecessary burdens on organisations. In order to address this, they propose to implement a more flexible and risk-based accountability framework whilst retaining the principle of accountability “at its heart”.
Accountability is a key principle under the UK GDPR which requires evidence-based compliance; organisations must be able to evidence their compliance with the UK GDPR’s core principle. Achieving robust levels of compliance, in line with UK GDPR and ICO’s current accountability guidance, is not a negligible commitment for an organisation. So, the UK government’s proposed reforms suggest a potential shift away from such commitment being required. That said, the proposed privacy management programmes framework which would require organisations to develop and implement a risk-based privacy management programme that reflects the volume and sensitivity of the personal information it handles, and the type(s) of data processing carried out, does not seem too dissimilar to the current legislative requirements. These requirements ask organisations to take a proportionate risk-based approach and implement appropriate organisational and technical measures, taking into account the nature and scope of the processing.
As a result, it will be interesting to see how the government’s proposals work in practice as on the face of it, there does not seem to be much difference between the current accountability requirements and the proposed requirements when implementing a privacy management programme. There is even an argument that the proposals remove some of the areas of clarity to organisations around how they should do certain things, in order to provide business with more discretion, which is ironic given the desire to create more clarity. An example is the obligation to carry out DPIAs in specific circumstances, which the government plans to replace with a general requirement to assess and mitigate risks.
Significantly, the government proposes to remove the existing requirements to designate a data protection officer under the UK GDPR as it does not believe the current requirements necessarily drive the intended outcomes of the legislation. The government’s new proposal is to replace the DPO requirement with a designated suitable individual, or individuals, to be responsible for the privacy management programme and for overseeing an organisation’s data protection compliance.
Data Protection Officers
The government admits there may be risks to removing the data protection officer role and highlights that organisations still need to meet the legislation’s requirements. In reality, would much change? Not every organisation is required to appoint a DPO now and appointing a DPO is just one of many requirements organisations must consider when aligning themselves to the UK GDPR’s rules. It appears that a designated individual would have to fulfil the key tasks of a DPO which are currently specified under the current regime; being responsible for an organisation’s data protection programme and for overseeing the organisation’s data protection compliance are the key tasks of a DPO now.
It will be interesting to see how this proposal plays out. Organisations will need clear guidance as to what “a designated suitable individual” looks like if this proposal comes to pass. Currently assessing whether a DPO is mandatory under the UK GDPR is not always a straightforward task, so the government will have to provide clear parameters as to what skills and experience a designated individual should have.
The UK government has also suggested what could be considered as a “U-turn” in respect of the handling of subject access requests (SARs). Enhanced individual rights was a key change under the GDPR. For example, the £10 fee which was payable by data subjects making SARs under the old data protection regime was removed, and the time organisations have to respond to requests was shortened from 40 days to one calendar month. These changes have led to individuals having greater awareness about their information rights and in many cases a drastic increase in the number of SARs received by organisations.
Amongst its proposals in this consultation, the government is now considering whether to introduce a fee regime for SARs in order to combat the challenges organisations have faced in the past few years when dealing with SARs, particularly those relating to the significant strain on resource and time-consuming nature of responding to SARs.
3. Boosting trade and reducing barriers to data flows
The UK government wishes to boost international trade by creating a more flexible approach to data transfers by removing, what it considers, “unnecessary barriers”. The government suggest this could be achieved (1) by making better use of the UK’s adequacy framework by introducing adequacy assessments to widen the list of countries that are deemed by the UK as offering adequate data protection and (2) improving the alternative tools that facilitate transfers by creating a proportionate, flexible and more interoperable regime.
A key aim of the government’s proposals is to allow the UK data protection regime to have the capacity to be compatible with any potential new international transfer regimes regardless of the mechanisms they use to transfer data. As such, the government is considering whether to empower organisations to create or identify their own alternative transfer mechanisms that provide appropriate safeguards thus removing prescriptive legislative requirements.
4. Delivering better public services
In light of the COVID-19 pandemic, the government seeks an opportunity to build on this experience and the challenges posed by the pandemic in order to deliver public services in more efficient and innovative ways.
The new regime proposes to clarify that private organisations and individuals who have been asked to process personal data on behalf of a public body, “may rely on that body’s lawful ground for processing the data under Article 6(1)(e) of the UK GDPR and need not identify a separate lawful ground”. This change would also support effective collaboration between the public and private sector in any future public health emergency, or in relation to other matters of public interest.
Cultivating public trust and transparency is crucial for the government if it delivers better public services. This objective also sees a proposal introducing compulsory transparency reporting on the use of algorithms in decision-making for public authorities. This is to ensure greater fairness and provide explanations to individuals affected by such decisions and help to gain public trust.
5. Reform of the Information Commissioners Office
The new regime suggests there will be a new governance framework for the ICO, the independent body responsible for upholding information rights in the UK. The framework sets out strategic objectives and duties that the ICO must meet and includes building an independent board and a chief executive to enhance diversity, challenge and scrutiny within the ICO. These changes plan to introduce a new overarching objective for the ICO with two elements: upholding data rights and encouraging trustworthy and responsible data use. As data becomes increasingly more important, the government wants to ensure the ICO has the right expertise and skills within, in order to successfully discharge its duties.
The government proposes to put in place mechanisms to “ensure the ICO continues to work closely with other regulators in order to ensure a coherent, innovation-friendly and streamlined regulatory landscape, thereby achieving better regulatory outcomes in digital markets.”
Please note: We have selected only a few of the proposals outlined by the government. The consultation paper sets out that the proposed changes will offer further benefits that are more difficult to quantify economically and as with any new data regime, it will not come without its challenges.
What are the potential challenges?
There is no doubt that the proposals aim to benefit the UK, such as the delivery of better public services, enhance the ability of our law enforcement agencies to protect public safety and national security and enhance the development and commercialisation of new products and services, to name a few.
But as we mentioned earlier, some of the suggested proposals throw up some questions. Loosened standards could unburden UK organisations from the UK GDPRs more binding requirements, but for businesses that operate both within the UK and the EU – it could prove complex, forcing them to comply with two sets of rules. If businesses then decide to comply with the more stringent standards under the EU GDPR, the easing of some of the UK GDPR rules would therefore render little or no benefit to such organisations.
Furthermore, if the UK were to take a blinkered approach and concentrate on “bias mitigation” within the proposed changes to algorithmic bias, it could be left behind in terms of how AI aims to enhance and support modern-day life.
We should also mention the recent public backlash over the government’s plans to acquire NHS patients medical records data. Removing such barriers for research purposes, may not be seen as favourable by the general UK public. Nevertheless, the government states that “the data reforms will provide clarity around the rules for the use of personal data for research purposes, laying the groundwork for more scientific and medical breakthroughs”.
Although there will be many questions and issues that could arise from the new proposed regime, the consultation is now open to responses from public bodies, organisations and individuals UK-wide. This window of opportunity is open for 10 weeks and closes on the 19th November, and responses will be published in due course.
Whilst the consultation is undoubtedly considered and extensive, it should be observed closely from both a legal and operational standpoint. With many countries adopting ever more robust data protection laws (see our recent China Data Protection Legislation blog), it remains to be seen how many of these proposals will ultimately be implemented by the UK government and if implemented, what they will look like. We are only three years into the GDPR in the UK and there have been many changes and clarifications from a legal, guidance and case law standpoint which have already caused organisations to consistently review their approach and make operational changes. These proposed changes may add another layer of complexity and confusion as opposed to innovation and efficiency, inevitably leading to further spending by organisations.
As we have already covered, one of the main hurdles will be how proposals will operate where an organisation is subject to both the UK GDPR and the EU GDPR.
But perhaps still the biggest question mark hangs over what effect, in reality, the potential changes may have on the UK’s adequacy status. The UK government states ”it is perfectly possible and reasonable to expect the UK to maintain EU adequacy as it begins a dialogue about the future of its data protection regime…”. However, the European Commission had in fact warned the UK Government when issuing its decision, that its adequacy could be revoked “immediately” were the UK to weaken its data protection standards, therefore no longer allowing data to flow freely between the EU and UK.
There may still be questions, but what is clear is that the impact of the proposed changes to international businesses will be dependent on the EU’s response to the new UK standards if they come to pass. As always, we will update you on any further developments in the months to come.
As a specialist data protection consultancy, Evalian® is well placed to assist you with any queries you might have on the data protection implications based on the UK government’s proposed changes.
If you would like an informal conversation on how we can assist, please get in touch. We can steer you in the right direction or, if you need help, we can assist at every level to ensure that you are covered.