Data protection: new laws on the way

Ministers are pushing forward with plans to reform the UK’s data protection regime, with a number of significant changes in the pipeline.

The regime came about five years ago following the introduction of the General Data Protection Regulation (GDPR), and subsequent new Data Protection Act.

Now, the Data Protection and Digital Information Bill is being complied as a means to update it.

But why – and why now?

The bill is the culmination of a reform programme which began with a public consultation back in autumn 2021. A bill was first introduced in July 2022 but it never got off the ground and was paused so that ministers could engage in a ‘co-design’ process with business leaders and data experts. This new version of the bill is the result of that process. It doesn’t create wholesale change, rather seeks to amend the current laws.

It should be said that for many, the delay from last year was welcomed – especially by the European Commission. Euractive.com, for one, commented that “London’s planned reform of its data protection regime has attracted considerable attention in Brussels, given its potential implications for the EU-UK data adequacy agreement reached in 2019, which facilitates ongoing data transfers between the two.”

Similarly, the Department of Culture, Media and Sport, has said that the UK had been in “constant contact” with the European Commission in creating the new bill.

What is the government proposing?

To begin with, the government has described the bill as a ‘common-sense-led’ UK version of the EU’s GDPR. The intention is to update and simplify the UK’s data protection framework, reducing burdens on organisations while maintaining high data protection standards. One of its key aims is to give businesses more flexibility with how they comply with the law, moving away from a box-ticking approach.

In overview, there are a number of changes. Subject Access Requests – where individuals seek their information – will be able to be refused by organisations or charged for if vexatious; there will be new legitimate interests for processing data; there are to be new rules on data security; a ‘Senior Responsible Individual’ who is part of an organisation’s senior management will have to be appointed in place of a Data Protection Officer; record keeping requirements are to be diluted except for ‘high risk’ activities; the role of artificial intelligence in data processing will be clarified; the penalties for breaching rules on electronic marketing are to be radically increased; and websites will no longer have to seek permission from users when placing cookies on their computers.

And in a move to speed up certain business processes, the bill proposes a ‘digital verification services trust framework’ with providers of digital verification services being accredited and listed on a DVS register. In essence, this means that once an individual has created a re-usable digital identity, they may be able to re-use it to assert their identity (or something else about themselves). This could relate to their age or address and gives them the ability to share certain facts rather than a whole document.

Will it work?

There is confidence in the revised bill in creating more integrity and transparency. Of course, the fact that elements of bureaucratic red tape have been removed or watered down is going to be good for businesses; organisations will have new-found clarity about when they can process personal data without needing consent without weighing up their own interests against an individual’s rights.

But lawyers such as Jeanette Burgess, Head of Regulatory & Compliance at Walker Morris, are warning that the bill doesn’t radically change the data protection regime as “organisations still need to make sure that they only process personal data where they have a lawful basis to do so and that data protection principles are complied with.”

Beyond that she says that cost could be a problem for companies with operations in the EU as they will still need to comply with the EU GDPR. Indeed, Burgess says that “they may find it cheaper to continue to follow the current regime in the interests of consistency to the extent that is possible under the new bill.” Clearly, if they choose to adopt separate compliance programmes for their EU and UK operations, that is likely to increase, rather than reduce, costs.

The ‘weaponisation of data’ by employees is a frequent frustration for HR managers. James Potts, Legal Services Director at Peninsula, a business services organisation, notes that the bill “will assist HR managers in shielding their businesses from vexatious data subject requests and will also give the ICO the power to reject complaints relating to such requests.” But while vexatious or excessive requests can be quickly dealt with, proof of the fact will be needed.

And it’s bound to please organisations, especially those that are small, that ministers have specifically sought to cut down on the amount of compliance paperwork they need to complete; unless their processing activities could pose high risks to individual’s rights and freedoms, they won’t need to keep processing records.

Summary

Ultimately, those already compliant with the UK GDPR will not need to make any significant changes as the main principles and obligations of current data protection regime will remain. However, it’s hoped that the burdens on organisations are eased, but the results will take time to become apparent.

Britain has a sick note culture – these are the actions employers can take

Figures from HSE reveal that some 35.2 million working days were lost by employees off sick

Read More

Next government “must prioritise education and upskilling”

If not, there is a “serious risk” that the UK will fall behind in the global EV race

Read More

What a Labour government means for the aftermarket

Most pundits reckon, come the end of 4 July, that the next government will have a red tinge

Read More

How to find finance as cost of living crisis bites

One source of worry for many is how to keep the financial plates spinning. We talk to the experts

Read More

The rising risk of cyber attack in automotive

Around half of all businesses were subjected to a cyberattack or breach last year

Read More

Go to comments

Your email address will not be published. Required fields are marked *