On the 11th of September 2021, the UK government released a consultation paper outlining its proposed reforms of the country’s data protection laws. This month, the government released its final response to its data consultation, outlining the feedback it received, and the current plans regarding the proposed reforms.
The proposed reforms are arranged into 5 chapters, addressing specific areas of the current data protection framework.
Kunbi – Our Data Privacy Officer gives his thoughts on the proposed reforms.
Chapter 1 – Research and Innovation
The first chapter focuses on the ability of companies to process personal data for the purposes of research and innovation, for the development of “cutting-edge data-driven technologies.” The most prominent proposed changes in this area are the plans to create pre-approved legitimate interests that organisations can rely on to process data without needing to conduct the customary legitimate interest assessment, in order to determine if the interests of the data subjects outweigh those of the organisation, in relation to the proposed processing activities. Similarly, the government reported that it plans to make it easier for organisations to reuse personal data collected for certain purposes for novel purposes.
Chapter 2 – Accountability
In chapter two, most important new changes being proposed are the removal of the requirements for certain organisations to appoint a Data Protection Officer (DPO) and maintain a Record of Processing activities (ROPA), for Data Privacy Impact Assessments (DPIA) to be conducted as currently required where the processing poses high risk to data subjects, and for organisations. While ostensibly a radical departure from the current laws, the proposals would still require companies to designate a “suitable senior individual to be responsible for the programme” in lieu of the DPO, “a more flexible record keeping requirement” in lieu of ROPAs, and “risk assessment tools which help assess, identify and mitigate risks” in lieu of DPIAs.
Upon closer inspection, it’s clear that these changes would not in practice be quite as significant as they first appear. Organisations which process personal data as a core part of their business would still be better served by having a dedicated member of staff to oversee data protection compliance. Even if the function is brought under the portfolio of the Chief Operations Officer for instance, there would likely still be a member of staff (or outsourced consultants) responsible directly for data protection. The same would apply for DPIAs and ROPAs – they might be called by other names, but the core functions would still need to be fulfilled in order to comply with the law and to be able to respond efficiently to data subject requests.
Other significant changes are being proposed in this area, in relation to cookie banners on websites and direct marketing. The government intends to push for legislation to allow cookies to be set without explicit consent when they are intended for certain pre-approved (yet to be specified) functions, with the caveat that users must be informed and directed on how to opt out. On direct marketing, the major proposed change is to allow non-commercial organisations to utilise the “soft opt-in” mechanism to contact persons who had previously engaged with the company.
The enforcement regime under the Privacy and Electronic Communications Regulations 2003 (PECR) will be increased to bring it in line with the GDPR. Currently fines under PECR are capped at £500,000.
Chapter 3 – International Data Flows
Chapter 3 is focused on international data flows as a way of stimulating trade between the UK and other countries. The proposed changes in this section are mostly to the overarching principles that the UK will take in the future, rather than specific policy changes, such as the requirement that the UK take a “risk-based approach” when determining whether other countries have adequate data protection regimes. It is not clear how this differs from the current process, which is itself based on assessing risk in recipient countries by evaluating their laws, judicial independence and transparency (or lack thereof) of government surveillance.
The government stated that it is abandoning its initial proposals to make it easier for organisations to use derogations repetitively to sidestep the need for implementing appropriate safeguards when making international transfers, based on representations by respondents that doing so could lead to severe degradation of data protection rights of citizens. This means that organisations will still need to comply with the requirements to implement appropriate safeguards and conduct transfer risk assessments as necessary before transferring data internationally.
Chapter 4 – Public Sector
Chapter 4 covers the public sector, with a focus on the procedures used by various government agencies when processing personal data, with a view to promoting better public service delivery. One of the proposed changes is to allow law enforcement agencies (as a group) to produce codes of conduct clarifying specific parts of the data protection laws as they apply to their specific use-cases, subject to approval by the ICO.
Chapter 5 – The ICO
The final chapter covers proposed changes to the ICO itself, beginning from a possible change in the regulator’s name. Also, the government proposal expresses an intention to refocus the ICO’s objectives toward dealing with the “most serious threats to public trust” while focusing on promoting growth and innovation through its regulatory activities. In addition, the corporate structure of the ICO is to be reformed into a statutory board with members to be appointed by the Secretary of State. Changes to the salary of the board chair would also not be subject to parliamentary approval. When taken together, these changes mark a significant departure from the standards of independence established by the UK GDPR and have raised concerns regarding the potential response of the European Union in terms of the UK’s current adequacy status for international transfers.
In all, the reforms are significant in some ways but not so much in others. For most organisations, maintaining the current standards would be the best course of action since those would mitigate the risks of penalties by the ICO or liabilities from lawsuits by data subjects (both of which are untouched in the proposals), and also simply making the data protection system in the organisation remain as efficient as possible. For instance, companies that do not have expert data protection officers or consultants might find it more difficult to implement Data protection by Design and Default in their products and end up spending more on remedial measures in the future. Similarly, companies without accurate and up to date ROPAs would find it more difficult to respond to subject access requests, thus spending more time, effort and funds to respond than organisations with better organised information governance systems.
The above is particularly true for those companies that currently operate internationally or intend to expand outside of the UK in the future. Maintaining the GDPR’s standards would prevent the additional cost of having to “upgrade” the company’s privacy framework in the future and would make it easier to commence operations with full confidence and minimal risk.