The aim of the new Data Reform Bill, announced in this year’s Queen’s Speech, is designed to strengthen the UK’s high data protection standards while reducing burdens on businesses. Overall, the Government’s objective is to give organisations more control and flexibility around data protection management, drive economic growth and innovation, and strengthen the public trust in the use and processing of data, all of which are a positive step forward.
Many organisations have grappled with the GDPR and Privacy and Electronic Regulations (PECR) ever since the GDPR became regulation in 2018, and many interpretations still exist. The GDPR was a welcome component of EU privacy and human rights laws which helped regulate the processing of data from guidance to regulation.
Many UK data organisations rely on the Legitimate Interest legal basis to process personal data. However, there are many assessments and key data capture techniques which must be put in place to be able to process information in this way, ensuring the balance of those interests against the fundamental rights of individuals. To this extent, the reform will contain several sensible proposals and there will also be a relaxation of the some of the burdensome accountancy obligations whilst retaining a robust data protection regime.
The UK Government have now released its much-anticipated response to the consultation. Overall, these reforms do not overhaul existing UK data protection regulation but in the most part they will modify obligations that UK organisations are familiar with under the existing regulation. Some key highlights from the response are as follows:
The appointment of a senior level individual
The requirements around Data Protection Officers and the designated officer will now be removed, but there is a new requirement to appoint a senior level individual who will take responsibility for data protection and hold responsibility to oversee an organisation’s privacy management and compliance.
Implementation of a privacy management programme
Records of processing activities and data protection balancing assessments are set to be replaced as the government moves forward and will require organisations to implement a Privacy Management Programme (PMP). Any organisations who already align to the principles of the UK GDPR, should not be too concerned with implementing a PMP as they will already have the correct requirements and procedures in place based around their own processing activities.
Changes to the SAR threshold
Subject access requests (SARs) and the right of access is one of the key components of a data protection framework. The response to the consultation showed that organisations large and small found dealing with subject access requests a time-consuming exercise. The government is proposing changing the current threshold for refusing or charging a fee for SARs, which means ‘manifestly unfounded or excessive’ changes to ‘vexatious or excessive’ requests. This will bring it in line with the Freedom of Information regime, an area where mixed views exist: organisations in favour of a cost limit argued that this would be beneficial to SMEs and make complying with subject access requests more manageable. The other view is that introducing a cost limit would be detrimental to individuals’ rights and could cause mistrust between organisation and individual.
Privacy and Electronic Communications (EC Directive) fines
It is proposed that PECR be amended to allow the ICO to levy fines of up to £17m or 4% of a business’s global turnover, thus bringing greater harmony between the fines imposed under the UK GDPR and DPA 2018. This is an encouraging step forward and will lead to greater and stronger compliance around the use of electronic marketing and how it is performed.
Direct marketing and PECR
Currently, organisations are allowed to use the soft opt-in scenario when using electronic channels to contact a customer, i.e., if the email address had been obtained in the course of a sales or transaction, there would be a reasonable expectation. The government has now extended this to non-commercial organisations, which in most cases includes charities. This must be music to charity’s ears, but as a cautionary note, those organisations will need to ensure the appropriate accountability and safeguards are in pace to protect individual rights, making sure there is a clear audit trail, and the provenance exists to be able to process an individual’s data in this way, otherwise we could see larger volumes of unwanted communications.
The government has proposed that it intends to create a limited list of processing activities where the requirements to conduct and evidence a balancing exercise are no longer required. Predominantly this will include areas such as preventing crime, reporting safeguarding or areas which fall under the ‘public interest’.
The government proposes permitting cookies (and similar technologies) to be placed on a user’s device without explicit consent, ‘for a small number of other non-intrusive purposes’. In practice this means cookies could be set without seeking consent, but the website must give the user clear information about how to opt out. It has also stated its intention to move to an opt-out model of consent for cookies placed by websites once ministers are content that users have access to technology that supports them to effectively manage their preferences on how their data is processed, except in cases where a website is likely to be accessed by children.
Reform of the ICO
The UK government also intends to reform the Information Commissioner’s Office. Some key takeaways are a refocus of regulatory enforcement on the most serious threats rather than the high volume of low-level complaints, and reforming of the complaints’ framework – i.e. data subjects must attempt to resolve their complaint directly with the relevant data controller before lodging a complaint with the ICO. Introducing a requirement on the ICO to set out the anticipated timelines for the phases of an investigation to the relevant data controller at the beginning of an investigation, the ICO has expressed its support on the proposed reforms in a response to the UK Government.
Organisations operating in the UK that already comply with the UK’s current data protection regime will almost certainly be compliant with the new regime and the impact of the proposals should be minimal.