This article is providing a recap on the first reading of the new Data Protection and Digital Information Bill and the changes proposed within it. While this was due for a second reading on 5th September, this was delayed and subsequent changes in Government mean that we are now left to wait and see where the UK’s data protection regime falls in the new Government’s priorities.
Regulations surrounding data protection are nothing new for UK businesses and with the UK GDPR and Data Protection Act 2018 having only recently been implemented, businesses now need to ready themselves for further changes….potentially.
It has previously been acknowledged that the burden of ensuring compliance with current data protection legislation can be a tedious task, with it also being considered as unnecessarily complex or vague with the average sized business feeling the burden of this. This was further recognised by the National Data Strategy, which outlined the UK government’s commitment to positioning the UK as a, ‘world leader in data-driven innovation’. As part of this, a proposal has been submitted to reform UK data protection regulations leading to the introduction of the Data Protection and Digital Information Bill (the “Bill”), which was produced to Parliament on 18 July 2022. Although the bill is still in draft form, and will likely see many further changes, the purpose of this Bill is to transform the UK data protection regime from a focus on prescriptive rules to a risk-based approach with a focus on outcomes, rather than rigid regulations.
What will change and how will my business be affected?
The first draft of the Bill contains a number of proposed reforms that aim to make data protection compliance more straightforward by clarifying some of the issues that businesses currently face.
Key changes include:
Removal of the need for a DPO
A business will no longer be required to appoint a Data Protection Officer (DPO) instead they must appoint a ‘senior responsible individual’, responsible for data compliance oversight. Despite the change in name, the day to day obligations of the role will not change dramatically, however, the “senior responsible individual” must be a member of the business’ senior management team, unlike a DPO who was required to be independent of it.
Removal of DPIAs
There will no longer be a requirement for businesses to carry out a data protection impact assessment. Instead, there will be an introduction of ‘assessments of high-risk processing’, which take a more flexible approach to summarising and mitigating data protection risks. However, whilst this initially does appear that it may provide a business with more flexibility, what is clear is that a business will still have to demonstrate their assessment and management of risk when processing personal data.
Removal of the need for a UK representative
If you are a data controller and you are not established in the UK, then you no longer need to appoint a data protection representative to be located in the UK.
Data Subject Access Requests
If a business receives a Data Subject Access Request, they can only refuse or charge a fee, where it is deemed that the request is “manifestly unfounded or excessive”. The Bill seeks to move away from this, replacing it with a new “test”, allowing a business to refuse a Data Subject Access Request, which it believes to be “vexatious and excessive”. The intention is to make it simpler for businesses to reject such requests whereby they are clearly submitted as an attempt to abuse the system or not in good faith.
Changes to international transfers
International transfers of personal data will now be subject to a risk-based approach, with organisations able to use available mechanisms such as ICO template data transfer agreements to help demonstrate this.
Using Cookies without consent
The Bill increases the number of cookies that can be used without the need for consent, for purposes that pose a low risk to people’s privacy, such as to enable software security updates.
Reforming the ICO
The government also intends to reform the Information Commissioner’s Office (ICO), the body that oversees UK data protection regulations. The ICO will now become the Information Commission. The proposals include further changes to the ICO’s operations, to include, but not limited to, a change to the current complaints process, whereby data subjects must address their complaint with the data controller directly before involving the ICO. The ICO also has extended discretion to not investigate certain types of complaints.
Changes to the Privacy and Electronic Communications Regulations (PECR)
A substantial increase in the maximum fine the ICO may issue under the PECR from £500,000 to the greater of £17.5 million or 4% of the company’s global turnover, bringing it into alignment with those potential fines set out in the GDPR.
Berry Smith Comment:
A key focus of the recent review and suggested reforms is to ensure that the EU does not remove the UK’s adequacy status, allowing the free flow of data between the UK and EEA to continue. It is for this reason, the proposed changes have been described as “evolutionary not revolutionary”. It is also worth noting that the Bill has not as of yet been approved, and further readings of it will likely lead to additional amendments. Even if the Bill receives approval, it is not intended to replace the current UK GDPR or Data Protection Act 2018 instead seeking to amend and improve the current legislation in order to ease the burden of compliance for UK businesses, with smaller companies feeling the benefits in particular.
The government has stated that all organisations that are currently compliant will remain so at the implementation of the new regime, but it will be worth looking into actions that can be taken to alleviate the pressure of compliance in light of the new risk-based focus
The Commercial & IP Team at Berry Smith can provide specialist advice on data protection compliance, as well as general commercial and business advice.