What is the UK Data Reform consultation?
On 10 September 2021 the UK government launched its consultation for the reform of the UK data protection laws (“UK Data Reform”). The current UK data protection regime consists of the UK General Data Protection Regulation (UK GDPR), the Privacy and Electronic Communications Regulations (PECR) and the Data Protection Act 2018 (DPA). The purpose of the UK Data Reform is to “create a data rights regime which delivers not only economic benefits but wider societal benefits alongside personal benefits to citizens.” This consultation response, along with the Data Reform Bill announced in the Queen’s Speech, gives us the “new direction” for the UK in relation to data.
What is the government’s response to comments on some of the key proposals of the UK Data Reform?
The government provided its response to the consultation on 17 June 2022. Here are some of the key planned next steps that are outlined in the response that may affect your business:
- To create a limited list of legitimate interests for businesses to process personal data without applying the balancing test. This will lessen the administrative burden for a lot of organisations, and avoid organisations seeking consent where they are nervous of carrying out an incorrect assessment.
- A key change will be to how cookies are dealt. In the immediate term, the government will permit cookies (and similar technologies) to be placed on a user’s device without explicit consent not just for essential cookies, but also for a small number of other non-intrusive purposes. In the future, the government intends to move to an opt-out model of consent for cookies placed by websites (not including websites which are "likely to be accessed by children" and are therefore subject to the Children’s Code). In practice, this would mean cookies could be set without seeking consent, but the website must give the web user clear information about how to opt out. This second stage will only be implemented once the government is confident that tools which help people manage their cookie and opt-out preferences are widely available for use.
- The threshold for refusing to deal with or charging a reasonable fee for a data subject access request (DSAR) will be amended from the current "manifestly unfounded" to "vexatious or excessive", aligning it with the Freedom of Information regime.
- The direct marketing soft opt-in will be extended to “non-commercial organisations”, e.g. charities, meaning that such organisations will be able to send communications to supporters and donors without needing prior consent (assuming the soft opt in conditions are met). This will be done in parallel with steps to ensure appropriate safeguards are in place to protect individuals who do not wish to continue receiving communications.
- There will be an extension of the lawful bases for processing special category data (including in respect of AI).
- The Information Commissioner’s Office (ICO) will be reformed, becoming a body corporate, and having a new structure, governance framework and an independent board. The ICO will also have statutory objectives, new duties, e.g. having regard to growth, innovation and competition (which has already got privacy activists excited), and new powers, e.g. determining the criteria for whether or not to investigate a complaint. When developing Codes of Practice the ICO will be required to set up expert panels to assist with this work.
- Removal of the requirement for data protection impact assessments (DPIAs). Organisations will still be required ensure there are risk assessment tools in place for the identification, assessment and mitigation of data protection risks across the organisation, but they will be given more flexibility in terms of how this is implemented.
- Removal of the requirement for an Article 30 UK GDPR record of processing. Organisations will need to have personal data inventories as part of their privacy management programme which describe what and where personal data is held, why it has been collected and how sensitive it is, but they will not be required to do so in the way prescribed by the requirements set out in Article 30.
- Removal of the requirement to appoint a Data Protection Officer (DPO) and instead there will be a requirement for organisations to appoint a senior responsible individual. This designated senior individual will be ultimately responsible for the privacy management programme, overseeing most of the tasks the DPO currently undertakes. There is flexibility to allow organisations to maintain DPOs as long as there is “appropriate oversight from the senior accountable individual”.
The removal of the requirements for DPIAs, Article 30 records and DPOs will be replaced by a requirement to have a risk-based privacy management programme. This would allow for a more flexible accountability framework and would reflect the “volume and sensitivity of the personal data involved”.
These are a selection of the key proposed next steps and we will publish a follow up article with a more in-depth analysis of the UK Data Reform when we have more detailed information.
What does this mean for businesses going forwards?
There may be concerns about the effect the UK Data Reform will have on the privacy rights of data subjects and therefore, the knock on effect on the EU adequacy decision which the UK currently enjoys, and, whether this will mean more work for organisations.
However, there have been reassurances from the government that:
- The UK Data Reform is retaining the EU GDPR principles and the government is engaging with the European Commission regarding this new policy paper. Hopefully this should help to ensure there is no change in the EU’s adequacy decision for the UK. The changes proposed seem to reflect this approach as, instead of eradicating requirements under the GDPR, they are framed in a more flexible way building on the UK GDPR; and
- If an organisation is complying with the UK GDPR, it is likely they will be compliant with the UK Data Reform proposals. There are a limited number of new requirements, which are considered to be “already good or best practice” and those that “many businesses [will] already have in place”, so organisations can continue to do what they are doing in terms of data compliance if they are complying with the UK GDPR.
So, as ever, watch this space – but from the direction of travel it appears that the UK Data Reform will mean less work for organisations in terms of data compliance and a more business friendly regime whilst still maintaining high data protection standards.
"We are reducing the burdens on businesses that impede the responsible use of personal data. By giving businesses the opportunity to protect personal data in the most proportionate and appropriate way, we will make them more efficient, meaning higher productivity rates, and more jobs."