UK Data Protection Change Consultation – Summary

In the last few days the Department for Digital, Culture, Media and Trade has issued a consultation on changes to the UK GDPR. The Consultation Paper states that “the government recognises that any data protection regime requires active interpretation and application to new and emerging technologies”.

The paper deals with:

  • Reducing barriers to responsible innovation
  • Reducing burden on businesses and delivering better outcomes for people
  • Boosting trade and reducing barriers to data flows
  • Delivering better public services
  • Reform of the Information Commissioners Office

The overall aim is to drive economic growth and innovation but continue to strengthen public trust in the way that personal data is used. The measures proposed set out to be both adaptable and sensible and ease some of the burden that the GDPR has placed on businesses.

The paper does highlight the fact that the UK GDPR and PECR are likely to have changes made to them, however the UK will continue to be a place where data protection is taken seriously. The UK wants to retain its adequacy and is not going to make changes that could jeopardise this.

What are the proposed changes?

Legitimate interests – create a limited exhaustive list of legitimate interests

Currently if an organisation wishes to use legitimate interest as the lawful basis for processing, then they must carry out a Legitimate Interest Assessment – Balancing test, to ensure that the processing is fair.

The proposal is to create a limited, exhaustive list of legitimate interests for which organisations can use personal data without applying the balancing test to give them more confidence to process personal data without unnecessary recourse to consent. The processing would still have to be necessary for the stated purposes and proportionate.

For those activities not on the list, the balancing test would still be applied. The balancing test could also be maintained for use of children’s data, irrespective of whether the data was being processed in connection with an activity on the list.

Soft Opt In – extend to charities and political parties

In relation to direct marketing activities,  businesses can contact individuals who have previously been in touch during a sale or transaction and have not refused or opted out of receiving marketing communications about similar products.

However, the soft opt-in is currently only available to commercial organisations and is not available to charities or political parties.

The proposal is to extend the soft opt-in to both charities and political parties, this could be good news for charities.

Accountability – implement a privacy management programme

The current legislation sets out requirements that organisations must satisfy to demonstrate compliance. For SMEs and those carry out low risk processing this is an increased burden.

The proposal is to implement a more flexible and risk-based accountability framework which is based on privacy management programmes.

Under this framework, organisations would be required to implement a privacy management programme tailored to their processing activities and ensure data privacy management is embraced holistically rather than just as a ‘box-ticking’ exercise.

To support the implementation of privacy management programmes, the government proposes to amend or remove specific compliance requirements in the UK GDPR, which are disproportionately burdensome.

To further support organisations who can demonstrate a proactive commitment to accountability, the government is considering whether to introduce a new voluntary undertakings process, similar to Singapore’s Active Enforcement regime.

Data Protection Officer – remove existing requirement for some organisations to appoint a DPO

Some smaller organisations may find it difficult to appoint a suitable DPO.

The proposal is to remove the existing requirements to designate a data protection officer, but instead to nominate a suitable individual(s), to be responsible for the privacy management programme and for overseeing the organisation’s data protection compliance.

Organisations still need to be compliant with data protection and therefore the onus in still on the organisation to ensure that personal data continues to be secure and that they continue to be compliant with the data protection legislation and accountable for compliance.

DPIA, Data Privacy Impact Assessment – do all organisations need them?

While data protection impact assessments are one of the ways in which an organisation can effectively identify, assess, and minimise the data protection risks.

The proposal is to remove the requirement for organisations to undertake a data protection impact assessment, so that organisations may adopt different approaches to identify and minimise data protection risks that better reflect their specific circumstances.

Organisations must be careful not to increase risk by undertaking processing that is high risk without an adequate assessment of the impact of the processing, however this risk can be mitigated by having a robust privacy management programme in place.

It is anticipated that regulatory guidance would offer strategies that organisations should consider adopting to protect personal data, including when and how they may want to undertake a data protection impact assessment.

Breach Reporting – When do you need to report to the ICO

The ICO has reported a huge increase in over reporting of data breaches by organisations, therefore the proposal is to change the threshold for reporting a data breach to the ICO, so that only breaches where the risk to the individual is ‘material’.

The ICO would be encouraged to produce guidance and examples of what constitutes a ‘material’ and a  ‘non material’ risk.

Individual Rights – could we go back to charging a fee?

The proposal considers introducing a fee regime. The fee regime would be structured so as not to undermine an individual’s right to access their personal data.  This proposal could help to ensure that organisations are not overburdened by wide-ranging, speculative subject access requests.

Cookies – could more cookies be designated as necessary?

Under current legislation organisations are only able to place  ‘strictly necessarily’ cookies, without consent. This means that consent is necessary for analytics cookies.

This has resulted in two issues:

  1. Organisations’ ability to collect audience measurement data to improve their websites and services for their customers has been affected by the stricter consent requirements that are intended to give consumers greater control over how their data is used.
  • Individuals frequently complain about the number of cookie pop-ups on websites.

The proposal outlines two main options for tackling these issues.

To permit organisations to use analytics cookies and similar technologies without the user’s consent, meaning these cookies would be treated in the same way as ‘strictly necessary’ cookies under the current legislation for which consent is not required. It is acknowledged that further safeguards need to be considered.

To permit organisations to store information on or collect information from a user’s device assuming it is for a limited purpose. Again, this would only be permitted where the impact is likely to be minimal.

It is worth noting that other countries, such as France, already view analytics (or ‘audience measurement’) cookies as being ‘strictly necessary’ and therefore do not require consent when certain conditions are met.

Research – is there a way that personal data can be used more easily for research purposes?

The government welcomes the guidance that the ICO is looking to provide greater clarity for researchers on the various research provisions in the legislation and when they apply.

The government is looking to understand how current legislation could be amended to support responsible research activity using personal data.

The government is considering the following two proposals to the use of personal data for research purposes:

  1. Clarifying in legislation how university research projects can rely on tasks in the public interest (Article 6(1)(e) of the UK GDPR) as a lawful ground for personal data processing. At present, universities are identifying a legal basis to use for research in an unclear and inconsistent way. Uncertainty may be creating burdens or discouraging useful research. Clearly defining when universities can rely on Article 6(1)(e) of the UK GDPR may reduce these burdens and increase transparency for data subjects on how universities are using personal data.
  2. Creating a new, separate lawful ground for research, subject to suitable safeguards. A new lawful ground could help reduce the complexity for organisations undertaking research in identifying a legal ground but would require safeguards on top of those already present in Article 89(1) of the UK GDPR to prevent a data subject’s personal data from being used in unexpected ways.

Automated Decision Making and AI showed Article 22 GDPR be removed?

Article 22 GDPR only allows automated decision making when an individual is entering into or for the performance of a contract.

It needs to be considered that the use of automated decision making is likely to increase greatly in many industries in the coming years, therefore the need to maintain a capability to provide human review may, in future, not be practicable or proportionate, and it is important to assess when this safeguard is needed and how it works in practice.

Therefore the Taskforce on Innovation, Growth and Regulatory Reform has recommended that Article 22 of UK GDPR should be removed.

Reform the ICO

The government wants to empower the Information Commissioner to protect data rights and promote trust in the data protection system in order to unlock the power of data.

The ICO must continue to be an agile and forward-looking regulator, in order to keep pace with new technologies and emerging regulatory issues. The government’s proposed reforms will better equip the ICO to play this regulatory role by creating a clearer mandate for a risk-based and proactive approach to its regulatory activities in line with best practice of other regulators, such as Ofcom, Ofwat and Ofgem.

Conclusion

This reform is about driving economic growth and innovation, it is about taking away burdensome tasks from the smaller organisation and allowing organisations to build a more flexible approach to their data protection management.

However,  it also means that organisations are taking responsibility for their data protection and the need to implement privacy frameworks.

By asking an organisation to take ownership of their data protection could be the answer to organisations becoming more involved in what they do and how they do it, making it no longer a tick box exercise as is it has been for some.

The EU will no doubt be keeping a close eye on any new developments to ensure that adequacy can still be granted. The consultation ends on 19th November 2021.

The full consultation paper can be found here.

Scroll to Top