The Government has confirmed how it plans to reform data protection. Ibrahim Hasan examines the main proposals.
Last week, the Government signalled its plans to reform the UK Data Protection regime by publishing its response to the consultation launched in September last year. In “Data: A New Direction” the Government said it intended “to create an ambitious, pro-growth and innovation-friendly data protection regime that underpins the trustworthy use of data.” Time will tell whether the proposed changes set out it in the response will achieve this aim.
The Government has avoided the temptation to change the title of the UK GDPR to something more post Brexit which says “see, we told you Brexit would bring benefits”. No DPA 2022, however the UK GDPR will be amended as will the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).
Privacy Management Programmes
The main proposed change will be to the UK GDPR’s accountability framework. This proposal would require an organisation to develop and implement a risk-based privacy management programme that reflects the volume and sensitivity of the personal information it handles, and the type(s) of data processing it carries out. A privacy management programme would include the appropriate personal information policies and processes for the protection of personal information.
To support the implementation of the new accountability framework, the Government intends to remove the requirement to :
- Designate a Data Protection Officer under Article 37. This will be replaced by the need to appoint a suitable individual to oversee the organisation’s DP compliance. A DPO by another name?
- Undertake a Data Protection Impact Assessment under Article 35. Under the new privacy management programme, organisations will still be required to identify and manage risks, but they will be granted greater flexibility as to how to meet these requirements.
- Maintain a Record of Processing Activity (ROPA) under Article 30. Organisations will still need to have personal data inventories as part of their privacy management programme which describe what and where personal data is held, why it has been collected and how sensitive it is, but they will not be required to do so in the way prescribed by the requirements set out in Article 30.
- Consult the ICO, under Article 36, in relation to high-risk personal data processing that cannot be mitigated
Some commentators have likened these proposals to “the Emperor’s new clothes.” There is a lot of tinkering and changing of names but the bottom line (no pun intended) remains the same. Those who take data protection seriously will continue to do what they have always done (e.g. DPIAs and having a DPO) whist those who see data protection as a burden will consider the proposals as an excuse to do the absolute minimum.
Subject Access Costs
The Government, in its response to the consultation, recognises the burden subject access requests can place on some organisations. However, despite there being a proposal in the consultation, it does not plan to reintroduce a fee for a subject access request; nor will there be a cost ceiling for responding to a request like under the Freedom of Information Act. However, in the future, “vexatious or excessive” requests will be able to be refused under Article 12. Query the difference between this and the current wording of “manifestly unfounded or excessive”.
PECR and Marketing
The government also consulted on possible changes to PECR which regulates, amongst other things, cookie rules and unsolicited direct marketing communications. The main changes to expect include:
- Permitting organisations to use analytics cookies and similar technologies without a users’ consent.
- Permitting organisations to store information on, or collect information from, a user’s device without their consent for other limited purposes.
- Extending “the soft opt-in” to electronic communications from organisations other than businesses where they have previously formed a relationship with the person, perhaps as a result of membership or subscription including political parties and non-commercial entities.
- Making it easier for political groups to use data for “political engagement”.
- Increasing the PECR fines to GDPR levels.
There are many more proposals, including to change the structure and governance of the ICO, helpfully summarised in Annex A of the Government’s response. The big question now is how the proposed changes will be viewed by the European Commission. Will it be prompted to review the UK’s current “adequacy status” allowing free transfer of personal data between the UK and the EU? Let us know your thoughts in the comment field below.
Ibrahim Hasan is a solicitor and director of Act Now Training.
This and other GDPR developments will be discussed in detail on Act Now's forthcoming GDPR Update workshop. It also has a few places left on its Advanced Certificate in GDPR Practice course starting in September.