After a year of consultations, the UK government finally laid its data protection reform bill before parliament – titled the Data Protection and Digital Information Bill in view of its expanded scope. We had previously provided an analysis of the government’s response to the feedback it received during the consultation period, which you can review here to get a sense of the government’s objectives with the new law. Now that the bill is here, this article will evaluate its actual provisions and what the significant impacts there might be for organisations that process personal data.
Kunbi – Our Data Privacy Officer gives his thoughts on the proposed reforms.
Principles And Lawful Grounds of Processing
There are two major proposed changes to the legal grounds upon which organizations can process data. The first one is to the ‘Legitimate Interests’ basis for processing, which under the UK GDPR requires organizations to conduct a balancing test to ascertain whether the interest of the organisation outweighs those of the data subjects before commencing processing. The new bill sets out instances (focused on public security, safeguarding and democratic engagement) where the balancing test will not be necessary.
The second change is to the purpose limitation principle, which binds controllers not to reuse data for new purposes except after conducting a test to ascertain that the new processing is compatible with the original one for which the data was obtained. In the new bill, the government has set out a list of scenarios in which the compatibility test will no longer be necessary, including research, archiving and complying with a legal obligation.
Both changes remove a layer of complexity and can make it simpler to process data in a variety of scenarios but it’s important to note that all other obligations on a controller remain in effect, such as providing them with details of the processing and complying with Data Subject Access Requests, for instance.
The bill proposes several changes to the accountability obligations of data controllers. Firstly, the bill removes the requirement for controllers and processors not established in the UK to appoint a representative in the country. Other changes include removing the requirement to maintain a ROPA (Record of Processing Activities) and conduct Data Protection Impact Assessments, although the new bill also requires organizations to keep a record of processing and conduct assessments when ‘high risk’ processing is being considered, thus making the actual impact of the changes quite minimal.
Another major change is with respect to the obligation of processors and controllers that meet certain thresholds to appoint Data Protection Officers. The new bill replaces that obligation with a requirement for the relevant controllers and processors to appoint a Senior Responsible Individual who must be at management level, instead. The bill does permit the SRI to delegate the functions to an external individual or organization, or delegate them to someone else in the organization. Given that this individual’s tasks (ensuring and monitoring compliance, organizing training, and dealing with training and breaches, among others) are nearly identical with those of a DPO, retaining an expert in that role would certainly be the wisest course of action for organizations to mitigate liability.
Data Subject Rights
The bill also makes some changes to data subject rights, however. Firstly, the DPDI Bill replaces the EU GDPR’s ‘manifestly unfounded or excessive’ threshold for refusing requests with a new ‘vexatious or excessive’ threshold. It also sets out the factors organisations can consider when deciding if requests meet this threshold, such as whether the requests are in bad faith or intended to cause distress.
Cookies and Electronic Marketing
The new bill expands the instances in which cookies can be placed on devices without consent being received beforehand. The list includes those cookies necessary for collecting statistics and adapting the appearance of webpages or installing security updates. In another change, non-profit businesses will now be able to send emails without prior consent for charitable, political, and other similar purposes.
The new bill also makes two major changes on the enforcement front. The first is that providers of electronic communications services must now report any activity that’s suspected to be related to unlawful direct marketing. The enforcement powers in relation of electronic communications have also been overhauled – a drastic increase in the maximum fine amount, from 500,000 Pounds to 20 million euros or 4% of annual worldwide turnover, whichever is higher.
Although the UK Data Protection and Digital Information Bill makes some significant changes in expanding the ICO’s ePrivacy enforcement powers, most of its changes will not make a difference for organisations currently complying with the UK GDPR, beyond changing how certain things are referred to. This is even especially crucial for organisations that operate or intend to operate internationally in the future – adhering to the GDPR standards will avoid the problem of having to comply with multiple regimes.