Ministers are pushing forward with plans to reform the UK’s data protection regime, with a number of significant changes in the pipeline.
The regime came about five years ago following the introduction of the General Data Protection Regulation (GDPR), and subsequent new Data Protection Act.
Now, the Data Protection and Digital Information Bill is being complied as a means to update it.
But why – and why now?
The bill is the culmination of a reform programme which began with a public consultation back in autumn 2021. A bill was first introduced in July 2022 but it never got off the ground and was paused so that ministers could engage in a ‘co-design’ process with business leaders and data experts. This new version of the bill is the result of that process. It doesn’t create wholesale change, rather seeks to amend the current laws.
It should be said that for many, the delay from last year was welcomed – especially by the European Commission. Euractive.com, for one, commented that “London’s planned reform of its data protection regime has attracted considerable attention in Brussels, given its potential implications for the EU-UK data adequacy agreement reached in 2019, which facilitates ongoing data transfers between the two.”
Similarly, the Department of Culture, Media and Sport, has said that the UK had been in “constant contact” with the European Commission in creating the new bill.
What is the government proposing?
To begin with, the government has described the bill as a ‘common-sense-led’ UK version of the EU’s GDPR. The intention is to update and simplify the UK’s data protection framework, reducing burdens on organisations while maintaining high data protection standards. One of its key aims is to give businesses more flexibility with how they comply with the law, moving away from a box-ticking approach.
In overview, there are a number of changes. Subject Access Requests – where individuals seek their information – will be able to be refused by organisations or charged for if vexatious; there will be new legitimate interests for processing data; there are to be new rules on data security; a ‘Senior Responsible Individual’ who is part of an organisation’s senior management will have to be appointed in place of a Data Protection Officer; record keeping requirements are to be diluted except for ‘high risk’ activities; the role of artificial intelligence in data processing will be clarified; the penalties for breaching rules on electronic marketing are to be radically increased; and websites will no longer have to seek permission from users when placing cookies on their computers.
And in a move to speed up certain business processes, the bill proposes a ‘digital verification services trust framework’ with providers of digital verification services being accredited and listed on a DVS register. In essence, this means that once an individual has created a re-usable digital identity, they may be able to re-use it to assert their identity (or something else about themselves). This could relate to their age or address and gives them the ability to share certain facts rather than a whole document.
Will it work?
There is confidence in the revised bill in creating more integrity and transparency. Of course, the fact that elements of bureaucratic red tape have been removed or watered down is going to be good for businesses; organisations will have new-found clarity about when they can process personal data without needing consent without weighing up their own interests against an individual’s rights.
But lawyers such as Jeanette Burgess, Head of Regulatory & Compliance at Walker Morris, are warning that the bill doesn’t radically change the data protection regime as “organisations still need to make sure that they only process personal data where they have a lawful basis to do so and that data protection principles are complied with.”
Beyond that she says that cost could be a problem for companies with operations in the EU as they will still need to comply with the EU GDPR. Indeed, Burgess says that “they may find it cheaper to continue to follow the current regime in the interests of consistency to the extent that is possible under the new bill.” Clearly, if they choose to adopt separate compliance programmes for their EU and UK operations, that is likely to increase, rather than reduce, costs.
The ‘weaponisation of data’ by employees is a frequent frustration for HR managers. James Potts, Legal Services Director at Peninsula, a business services organisation, notes that the bill “will assist HR managers in shielding their businesses from vexatious data subject requests and will also give the ICO the power to reject complaints relating to such requests.” But while vexatious or excessive requests can be quickly dealt with, proof of the fact will be needed.
And it’s bound to please organisations, especially those that are small, that ministers have specifically sought to cut down on the amount of compliance paperwork they need to complete; unless their processing activities could pose high risks to individual’s rights and freedoms, they won’t need to keep processing records.
Ultimately, those already compliant with the UK GDPR will not need to make any significant changes as the main principles and obligations of current data protection regime will remain. However, it’s hoped that the burdens on organisations are eased, but the results will take time to become apparent.