What you need to know about the incoming UK Data Protection Reform
Key Contact: Declan Goodwin
Author: Rachel McCulloch
It is essential for businesses to keep up to date with data protection regulations to ensure they remain compliant. Following the government’s consultation on proposals to reform the UK data regime, the Data Protection and Digital Information Bill (the “Bill”) was introduced to Parliament on 18th July 2022. So, what are some key takeaways from the Bill that you should know?
Businesses will no longer have to appoint a Data Protection Officer (“DPO”), but they will be required to have a “senior responsible individual” who will be responsible for overseeing data protection compliance. Their roles are similar but the key difference is DPOs have to be independent whereas a senior responsible individual must be a member of the business’s senior management team.
Furthermore, instead of completing data protection impact assessments, businesses will be required to implement an “assessment of high-risk processing”. You will still have to demonstrate your assessment and management of risks when processing personal data but the process is simplified and the assessment will only need a summary of the purposes of the processing.
The requirement to maintain a record of processing activities is replaced with a requirement to maintain appropriate records of processing personal data. These are very similar, but you will no longer have to record categories of processing and data transfers.
Data controllers not based in the UK will no longer have to appoint a data representative in the UK.
Under the UK GDPR, to process personal data, you must be able to rely on a lawful basis, one of which is legitimate interests. To use legitimate interests, you must weigh up your interest against the data subject’s rights, interests, and freedoms. The Bill introduces a number of pre-approved “recognised legitimate interests” which will not require the balancing exercise.
Unfortunately, the list is limited and focuses on the public interest such as investigating and preventing crime and reporting safeguarding concerns. It is therefore unlikely to affect common data processing activities, but the government will be able to amend and add to this list. For interests not listed, a balancing exercise will still be required when relying on legitimate interests.
Data subject rights
Data subjects can submit a subject access request (“SAR”) to obtain a copy of their data. Currently, businesses can refuse or charge for SARs if they are “manifestly unfounded and excessive”. This will be replaced with “vexatious and excessive” hoping to give businesses greater scope to refuse SARs. The Bill includes examples of “vexatious and excessive” requests including those that are an abuse of process, intended to cause distress, or not made in good faith.
Changes to international transfers
The Bill allows businesses to use a risk-based approach to international transfers, assessing risks involved in using protective measures such as the fairly new ICO’s international data transfer agreement or UK Addendum. The UK Government will also follow a risk-based approach when deciding whether to provide an adequacy status to another country.
Using cookies without consent
Currently, only “strictly necessary” cookies can be used without consent. The Bill increases the categories of cookies that can be used without consent to include cookies for purposes that the Government considers pose a low risk to people’s privacy. These include cookies to enable website functionality and software security updates. Consent for other categories of cookies will still be required.
Privacy and Electronic Communications Regulations (PECR)
The fines under PECR will be increased to be brought in line with fines under the UK GDPR. Fines can therefore be up to the higher of £17.5 million or 4% of a business’s annual global turnover.
The Bill is less revolutionary than first expected, likely because it reduces the risk of the EU removing the UK’s adequacy status. This status is important because it allows the free flow of personal data between the UK and EEA. The Bill does not replace the UK GDPR or Data Protection Act 2018, but amends and adds to the existing legislation.
The Bill has only had its first reading in Parliament, with its second scheduled in September. It is likely there will be some amendments before the Bill becomes UK law so watch this space. For further information and assistance, please contact our Commercial and Technology Team.