Review your content's performance and reach.
Become your target audience’s go-to resource for today’s hottest topics.
Understand your clients’ strategies and the most pressing issues they are facing.
Keep a step ahead of your key competitors and benchmark against them.
Questions? Please contact [email protected]
The UK government has published its response to the consultation it ran on reforming UK data protection law. It intends to make over 60 changes to the UK's approach to data protection.
On 17th June 2022, the Department for Digital, Culture, Media, and Sport (DCMS) published its response to the consultation it ran on the reform of UK data protection law. DCMS's response sets out 63 reform proposals that the UK government intends to take forward, as well as those proposals it will and will not consider further.
The original consultation ran between September and November 2021. The proposals within it and those that will be now be taken forward align with the UK's National Data Strategy and focus on the following 5 key areas:
This article sets out some of the key changes that the government will now adopt under each of the focus areas. You can also read the article we published on the consultation in October last year here.
1: Reducing barriers to responsible innovation
In order to reduce barriers to innovation, the government plans to implement changes to data protection law across a number of areas that touch on innovation. The proposed changes include those described below:
Research purposes: Consolidation of the rules on processing personal data for research purposes, linking them to relevant ICO guidance and creating a clear statutory definition of scientific research to provide clarity as to when this can be used.
Further processing: Clarification of the rules on re-use of personal data including setting out how further processing may be possible:
Legitimate interests: Creation of a limited list of legitimate interests for businesses to process personal data without applying the legitimate interests balancing test. These are likely to include processing activities which are:
AI and machine learning: Clarifying that Schedule 1, Paragraph 8 of the Data Protection Act 2018 enables the processing of sensitive personal data (referred to as special category data in the UK GDPR) for the purpose of monitoring and correcting bias in AI systems.
Rights in relation to automated decision-making and profiling: The scope and limits of Article 22 of the UK GDPR will be clarified.
Data minimisation and anonymization: Adopting the Council of Europe's Convention 108 test for whether data is anonymous and whether a living individual is identifiable.
2: Reducing burdens on business and delivering better outcomes for people
To reduce the burdens of complying with data protection law and at the same time deliver better outcomes for people, the government plans to implement wide-ranging changes to core data protection requirements within the UK GDPR.
Reform the accountability framework: Organisations will be required to operate a risk-based privacy management programme focused on privacy outcomes rather than the UK GDPR's prescriptive requirements. This will lead to: the replacement of requirements to appoint a data protection officer with a requirement to have a senior person responsible for oversight of data protection; the removal of the requirement for data protection impact assessments – although this will be replaced with an obligation to ensure there are risk assessment tools in place; and the removal of the requirement to maintain records of processing activities – although an organisation will need to have data inventories.
Subject access requests: The threshold of "manifestly unfounded" for refusing subject access requests will be replaced with the concept of "vexatious or excessive" requests being exempt in line with the Freedom of Information Act – this will lower the threshold for businesses to refuse subject access requests to stem the floodgates of disruptive DSARs.
Privacy and electronic communications (PECR): Significant changes relating to privacy and electronic communications include:
Use of personal data for the purposes of democratic engagement: The "soft opt-in exemption" for direct marketing will extend to other political entities including candidates and registered third-party campaign groups who are registered with the Electoral Commission.
3: Boosting trade and reducing barriers to data flows
The government intends to boost trade while reducing barriers to data flows by introducing the following changes:
Alternative transfer mechanisms: Creation of a new power for DCMS to create new UK mechanisms for transferring data overseas or recognise in UK law other international data transfer mechanisms.
Adequacy: Reformation of the power DCMS has to make adequacy decisions, with a focus on risk-based decision-making and outcomes, and considering the desirability of facilitating international data flows. Removal of the requirement for the DCMS Secretary of State to conduct a review of an adequacy decision every 4 years.
The government wishes to deliver better public services by implementing changes to data protection law that will enable that delivery. The changes that will be adopted include those described below:
Non-public bodies delivering public tasks: Clarification on which lawful processing grounds are available to organisations when they are requested by a public body to help deliver a public task.
Digital Economy Act 2017: Extension of the data sharing powers under the Act to improve public service delivery.
Building trust and transparency: Alignment of key terms within Part 3 (law enforcement processing) and Part 4 (intelligence services processing) of the Data Protection Act 2018 to drive consistency across the UK GDPR.
Public safety and national security: Rules on the police's use of biometric data will be clarified.
5: Reform of the Information Commissioner's Office
We have outlined below the proposals that may have significant impact on businesses, the ICO and its independence.
Strategy, objectives and duties: A new statutory framework setting out ICO's strategic objectives will be introduced, alongside duties to have regard to economic growth and innovation, competition issues and to consult with relevant regulators and bodies when exercising its powers.
Complaints: Data controllers will be required to implement a complaints-handling process that is simple and transparent for data subjects to use, and that data subjects must use this before making a complaint to the ICO. The legislation will also set out the criteria the ICO can use to determine whether to pursue a complaint, the aim of which is to provide clarity and enable the ICO to take a more risk-based and proportionate approach to complaints.
Enforcement powers: Introduction of a provision to permit the ICO additional time beyond the six month statutory deadline to issue a Penalty Notice following a Notice of Intent to issue a fine (under certain circumstances). The ICO will also be granted a new power to compel witnesses to attend interviews during investigations and answer questions.
Proposals which are being considered further
The DCMS's response also outlines proposed changes which need further consideration by the government. These include:
Further processing: The government intends to clarify the distinction between new processing and further processing.
AI and machine learning: Consideration of fairness at a holistic level to address this across data protection and other relevant regimes which will feature in the White Paper on AI Governance.Privacy and electronic communications: Further requirements for communication providers to block a greater volume of nuisance calls by blocking calls/texts at source and to provide free services to block incoming calls. Other measures will also be considered to reduce unsolicited direct marketing and fraudulent calls.
Adequacy: Consideration of adequacy regulations for groups of countries, regions and multilateral frameworks to simplify international data transfers.
What changes are not being progressed?
Based on the consultation's feedback from respondents, there are a range of proposals which the government does not intend to take forward. These include, but are not limited to the:
The Queen's Speech in May 2022 put forward the government's intention to introduce a Data Protection Reform Bill. Until the the Bill is published and the text of the proposed reforms is available, the full impact they may have on businesses is not certain.
However, the proposals, as we know them today, raise a number of questions:
How will they affect the UK's post-Brexit adequacy decision?
At present, this means that personal data transfers from the EEA to the UK (including transfers from the UK to the EEA and back to the UK) can continue without the need for any additional safeguard mechanisms. However, this is subject to UK data protection law remaining closely aligned to EU GDPR. DCMS's announcement states that it expects that the UK will maintain adequacy, so it is to be hoped that the European Commission and privacy activists share this view.
Which laws apply to organisations?
As many UK businesses continue to trade with customers in the EEA, they will need to continue to comply with the EU GDPR as well, due to its territorial scope (i.e. the EU GDPR applies when an organisation provides goods or services to, or target, individuals in the EU). While DCMS's position is that the proposed reforms will make data governance easier for UK-only businesses (i.e. those not conducting business with the EU), this will not necessarily be true for those businesses targeting the UK and EU, who will need to continue to satisfy the requirements of both regimes.
What about existing data protection compliance?
Many UK businesses have invested large amounts of time and money to put in place systems, documentation and training to comply with the GDPR. Will they need to make further changes in line with the new UK regime? This could be the case, for example, where organisations have not established or are not running ongoing privacy management and monitoring programmes, i.e. where GDPR compliance was treated as a tick-box exercise to meet prescriptive requirements for May 2018 and no significant privacy management activities have taken place since. It could also be the case where target-operating models for data protection have not been established and no senior person has responsibility for data protection within the organisation. The changes to PECR, particularly the increased fining potential, could also make some organisations decide to review their approach to direct marketing.
Overall, there is still some way to go until we have a better understanding of the impact the changes will have on UK businesses.
However, it is now clear that another round of gap analysis, review of existing processes and change implementation is likely to be required for businesses in the UK very soon.
If you would like to learn how Lexology can drive your content marketing strategy forward, please email [email protected] .
Regulation (EU) 2016/679 - General Data Protection Regulation (GDPR)
© Copyright 2006 - 2022 Law Business Research