On the 18th July 2022, the UK government published its proposals for reforms to UK data protection law. The reason for these reforms is to make data protection more user friendly for businesses, especially small and medium sized businesses. The new legislation is expected to be passed by spring 2023, at the very earliest.
The following is a summary of some of the proposed changes to the data protection regime, but should not be read in isolation and the actual Bill (the Data Protection and Digital Information Bill) should be reviewed in full for an understanding of the government’s proposed changes. You can also follow the passage of the bill through parliament at parliament.UK:
- Data protection officers – where formerly a data protection officer was required in certain organisations, those organisations will instead need to identify a senior responsible individual (SRI) who will oversee data protection compliance and also have the ability to delegate the responsibility.
- Assessment of high risk processing – the data protection impact assessments (DPIAs) requirement is narrowed in scope. Controllers conducting high risk processing will still need to do a DPIA and include a summary of the purposes of the processing, an assessment of whether the processing is necessary and the risks it poses to individuals; and a description of how the controller intends to mitigate any such risks. The previously mandatory requirement to consult the ICO prior to conducting the high risk processing has been made optional.
- ROPA – lite – records of processing activity (ROPAs) can be less detailed for all.
- Vexatious data subject requests – these rights have been restricted, with controllers able to resist vexatious requests (formerly these had to be “manifestly unfounded or excessive”). Examples of vexatious requests include those not made in good faith or that are an abuse of process. The controller can refuse them or charge a fee.
- No more UK representatives – removal of the requirement for overseas controllers within scope of the UK GDPR to appoint a representative in the UK is removed.
- Complaints processes – Data subjects have a new “right” to complain to controllers about any UK GDPR breach relating to their data, with controllers required to acknowledge receipt within 30 days. Controllers may be required to inform the ICO about the number of complaints received.
- Anonymisation – some changes are proposed to the personal data definition (where an individual is “identifiable” or not) to help bolster the robustness and certainty of anonymisation.
- ADM – A decision is defined as being based on “automated processing” if there is no meaningful human involvement in the taking of the decision. The proposals extend the circumstances under which automated processing (which includes profiling) can be used to take “significant decisions” ie. decisions producing legal or similarly significant decisions for the data subject). Previously the circumstances were limited to where necessary for entering into the contract with the individual, where authorised by law or with the individual’s explicit consent.
- Purpose limitation and further processing – the reforms also expand on how a controller can undertake further processing of personal data in certain circumstances, where this further processing is compatible with the original purpose.
Electronic Direct Marketing and Cookies
- Fines and exemptions – maximum fines for breach of the Privacy and Electronic Communications Regulations (PECR) are increased to the UK GDPR level, being £17.5million or 4% of global annual turnover, whichever is the higher.
- Cookies: a relaxation of the consent requirement is proposed for certain types of cookies.
The overall impact of these reforms is less substantial than was originally suggested by the UK government. The intention had been to make data protection less challenging for organisations to comply with but these changes do not really make as big a difference as had been anticipated.
Organisations should have in place processes and procedures to facilitate their compliance with the GDPR and Data Protection Act 2018 already, so with the introduction of these proposed changes, those processes and procedures may need to be added to or amended. If you would like to arrange a review of your existing policies and procedures or advice on their implementation, please contact our data protection experts on 01202 786161 or via email@example.com.