The UK government plans to introduce significant reforms to the UK GDPR regime in the new Data Protection and Digital Information Bill (DPDIB). The bill was presented to Parliament on Monday 18 July 2022. The date of the second reading date was postponed as Liz Truss assumed the role of Prime Minister, and a new date is yet to be announced.
One key objective of the reforms is to do away with unnecessary ‘red-tape’ and provide businesses with a more flexible environment, ‘while maintaining high data protection standards.’ The aim is to make compliance with certain aspects of the data protection legislation easier and to provide clear and comprehensible rules for businesses. The government believes the reforms will cut costs for businesses and increase the chances of building new international data partnerships with countries including the US, Australia and South Korea.
As it stands, the bill proposes changes in the United Kingdom General Data Protection Regulation [Retained EU Regulation] (UK GDPR), the Data Protection Act 2018 (DPA 2018) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR 2003). These changes, if implemented, are likely to cause significant divergence between the EU and UK GDPR regimes, which will inevitably affect businesses on both sides. A summary of the key changes and their overall impact on EU/UK divergence is provided below.
A flexible, risk-based approach
The proposed changes in the DPDIB affect the accountability obligations under the current regime, which is one of the fundamental aspects of the GDPR. Under the proposed risk-based approach, an organisation would be required to take protective measures that will reflect the volume and sensitivity of the personal data involved. For organisations that are currently UK GDPR compliant, the government encourages changing their approach in the future to take advantage of the added flexibility. However, it seems for EU-facing businesses, implementing the changes would inevitably incur additional costs.
Changes in governance
Under article 37 of UK GDPR, certain organisations are required to appoint an individual to function as their Data Protection Officer (DPO). These include all public bodies (except courts) and organisations whose activities require regular and systemic monitoring of data subjects on a large scale, or whose activities consist of large-scale processing of special categories of data or personal data relating to criminal convictions and offences. Many organisations also choose to appoint a DPO on a voluntary basis to ensure theirGDPR compliance.
The proposed reforms look to replace this requirement with that of appointing a ‘designated senior individual’ (DSI). It would also shift the trigger for a mandatory appointment within private organisations from a focus on processing at a ‘large-scale’, to the new risk-based analysis. A DSI would be required where the processing ‘is likely to result in a high risk to the rights and freedoms of individuals…’.
Under the UK GDPR, a DPO could be an employee or an external appointment. In contrast, only an individual with a position of Senior Management within an organisation may be appointed as a DSI. Unlike the DPO, the DSI will not be required to have expert knowledge of data protection law and practices. However, the responsibilities of the DSI would be largely the same as DPOs, save for the requirement to deal with Data Protection Impact Assessments (DPIAs) as these are not required under the proposed reforms.
Under the proposed approach, organisations will have more flexibility on how to identify and manage risks and keep records of their analysis. They will have the choice to continue using DPIAs as part of their compliance, but under the proposals these assessments could be less strict.
The requirement of prior consultation with the Information Commissioner’s Office (ICO) will no longer be necessary for an organisation before starting a ‘high-risk’ processing activity. A voluntary scheme will apply instead, under which an organisation ‘may’ consult the ICO if they wish. However, not choosing to consult an ICO may result in heavier fines in those high-risk cases.
The DPDIB also proposes more flexible record-keeping requirements in comparison to those under Article 30 of the UK GDPR. The reforms will require organisations to keep ‘appropriate’ records or processing instead of creating and keep a record of all processing activities that they undertake.
These changes have created concerns amongst professional communities of DPOs and data managers regarding weakening standards and professional security.
The reforms propose changing the Information Commissioner’s Office from a ‘corporation sole’ to a ‘body corporate’, and the name of the office to the ‘Information Commission.’ The functions of the Information Commissioner, as they stand, are already delegated to the ICO management board, in line with good practice. The reforms formalise this structure but have left the functions relatively unchanged.
The reforms propose to change the statutory aims of the ICO and include a new ‘principal objective’ to secure an ‘appropriate level of protection for personal data’ and to ‘promote public trust and confidence’ relating to data use. It also increases the ICO’s reporting requirement to the DCMS, and its enforcement powers.
The increased powers to use its discretion relate to when and how it will investigate complaints (e.g., not to investigate vexatious complaints or those where the complainant hasn’t attempted to resolve the issue with the data controller, or the controller hasn’t finished investigating).
The increased enforcement powers would enable it to appoint a DSI within an organisation and require them to commission a technical report regarding their data use, compel witnesses to attend interviews where it ‘suspects’ a potential UK GDPR breach and issue penalty notices beyond the current deadline in certain circumstance.
Removal of requirement for a representative in the UK
At present Article 27 of the UK GDPR requires the appointment for a representative in the UK for organisations that are bound by the UK GDPR but are not based in the UK. The government has justified the removal of this requirement is to avoid duplication. However, this is a clear departure from EU GDPR.
DPDIB propose a less strict, more risk-based, approach to international transfers through Smart Data Schemes. It gives the Secretary of State wider discretion as to making adequacy regulations. It also removes the requirement of four-yearly adequacy reviews in favour of ‘ongoing monitoring’.
Organisations that are already compliant with EU GDPR or current UK GDPR safeguarding measures, will be allowed to continue to uphold these measures if they are not ‘materially lower’ than UK regulations.
Currently, both the EEA and UK generally recognise each other as ‘adequate’ in relation to personal data, and personal data transferred between the two is rarely subject to additional restrictions. Organisations will have to be careful not to significantly change their current practices to remain ‘adequate’ within the EEA.
The proposed reforms aim to provide clarification on various aspects of the GDPR. For example, altering the definition of ‘personal data’ and effectively changing the type of data that can be regarded as ‘anonymous’, and therefore, outside the scope of the data protection regime. This is aimed at assisting organisations from committing ‘accidental’ breaches.
The government also wishes to clarify aspects of the UK GDPR to facilitate innovative re-use of data. Under the current rules, re-use is allowed where it is compatible with the purpose for which it was collected and is compliant with other general processing rules. The reforms set out scenarios in which data can be used for a ‘new purpose’ and are ‘pre-approved’ as compatible and compliant.
Recognised Legitimate Interests
The requirement to conduct a legitimate interests assessment (to identify lawful basis for processing data) will no longer be required for a prescribed (and exhaustive) list of activities, which would be known as ‘recognised legitimate interests.’ All these activities will have a public interest element.
Responding to DSARs
The DPDIB proposes changing the threshold for refusing or charging a fee for a data subject access request (DSAR) from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’. The meaning of ‘vexatious’ here is the same as in the context of freedom of information legislation (FOIA). It is unclear how significant this change will prove in practice as the FOIA regime operates in a hugely different context to data protection law.
The proposed reforms give organisations further flexibility in relation to DSARs by elongating their response-time (in addition to the existing extension period available under GDPR).
PECR 2003 (reforms to cookies and enforcement)
The reforms allow websites to remove their cookie banners under certain circumstances that are regarded as minimal risk (e.g., web analytics, automatic updates etc.). The rationale behind this is to make the website more customer friendly. However, this would need to be clearly explained to users, and they will need to have the ability to opt-out.
The reforms also increase maximum fines for serious breach of PECR to UK GDPR, which is noteworthy as majority of fines imposed by the ICO has historically been for breaches of PECR.
How will these reforms affect businesses?
Since 2018, the GDPR and now the UK GDPR has become widely recognised and accepted amongst businesses and consumers. With growing consumer scepticism around data collection and processing, the proposed changes may disrupt the delicate balance between consumers, businesses and the way that data is transferred between the two.
The proposed reform is likely to result in existing businesses having to undertake significant work to adapt to the new regime. For EU-facing businesses, there will be a need to retain the UK GDPR measures for compliance (if this is accepted by the EU as compliant where the more general UK data protection regime is varied would the proposed reform pass). If the European Commission makes any negative decision regarding the adequacy of the UK’s reformed standards, the flow of personal data between the two jurisdictions is like to face obstructions, which would be especially costly for businesses to overcome.
Whether the reforms will help build new data relationships with the US or Australia also remains to be seen, as many countries are increasingly adopting GDPR-like provisions around issues like the rights of data subjects, the need for transparent privacy notices and stricter data transfer restrictions. GDPR provisions are highly regarded as good by consumers globally as it provides the highest level of available protection.
However, the extent of these impacts depend on the final form of the DPDIB will take. As it goes through parliament, there is no doubt that the bill will be discussed and amended. Businesses should remain alert to any proposed changes and the level of divergence from the EU GDPR, which seems likely to be problematic.