UK Data Protection & Digital Information Bill: Can We Really Overhaul the GDPR?
In September 2021 the UK Government announced its plans to reform the UK’s privacy laws. Recently, it introduced the UK Data Protection and Digital Information Bill to the House of Commons.
Current Stage: 2nd Reading
> Read moreUK Data Protection and Digital Information Bill
What will the proposed changes look like? Proposals are split into 30 headings across 5 key chapters:
- Reducing barriers to responsible innovation: ‘clear and consistent’ rules to support the adoption of data-driven technologies.
- Reducing burdens on businesses and delivering better outcomes for people: providing a high-standards, flexible data protection regime balanced with more proportionate compliance.
- Boosting trade and reducing barriers to data flows: progressing an ‘ambitious’ set of adequacy assessments, taking a risk-based approach.
- Delivering better public services: improving the delivery of Government services through data sharing and ‘better use’ of data.
- Reforming the Information Commissioner’s Office (ICO): Setting out a clear vision for the ICO as an independent regulator, improving accountability and refocusing its efforts from low-level complaints to addressing serious threats. Its overall objective will be to 1) uphold data rights and 2) encourage trustworthy and responsible personal data use.
The practical changes for UK commercial organisations and the difference between the requirements of the GDPR and the new proposed laws are summarised in detail below:
UK Data Protection and Digital Information Bill: Breakdown
Appointing a Data Protection Officer
UK GDPR/ PECR Requirement
Organisations must appoint a Data Protection Officer (DPO) if certain conditions are met.
UK Proposal
No requirement for a DPO, but an appropriately senior data protection lead should be appointed for governance purposes.
Records of Processing Activities Requirement
UK GDPR/ PECR Requirement
A Record Of Processing Activities (ROPA) is required for any organisation processing personal data, setting out all categories of personal data processed, the lawful basis for processing each category, who data is shared with, safeguarding procedures, etc.
UK Proposal
No requirement for a ROPA, but instead there will be ‘more flexible’ record-keeping requirements. Companies will still be expected to hold ‘inventories’ of personal data, but not in the way prescribed by Article 30 GDPR.
Data Protection Impact Assessments
UK GDPR/ PECR Requirement
A data protection impact assessment (DPIA) is required under Article 35 GDPR for high-risk processing activities.
UK Proposal
Organisations should appoint a suitably senior individual to be responsible for compliance and ensure they implement tools to identify and mitigate risks.
ICO Consultations for High Risk Processing
UK GDPR/ PECR Requirement
The ICO should be consulted where high-risk processing takes place which cannot be mitigated.
UK Proposal
The Response notes that compliance with this legal requirement is low. The Government proposes to proceed with removing this requirement and instead making it voluntary, resulting in more proactive conversations with the ICO. This will be taken as a mitigating factor in any enforcement action.
Right of Access Exemptions
UK GDPR/ PECR Requirement
All individuals have a ‘right of access’ and can make a request to an organisation to provide access to all personal data that the organisation holds about them (SAR). The threshold for rejecting a SAR is high – namely only when the SAR is ‘manifestly unfounded or excessive’. Generally, SARs have to be administered free of charge.
UK Proposal
The Government plans to proceed with changing the current threshold for refusing or charging a reasonable fee for a subject access request from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’. There will not, however, be a fee for processing a SAR as per the DPA 1998 regime. The Government continues to consider how it can help the healthcare industry and SMEs with processing these types of time-consuming and burdensome requests.
Cookie Consent Mechanisms
UK GDPR/ PECR Requirement
Under PECR, consent is required to place non-essential cookies on a user’s device.
UK Proposal
The Government intends to remove the need for cookie banners on websites for UK residents. In future, the Government intends to move towards an ‘opt out’ rather than an ‘opt in’ model for the use of cookies.
Soft Opt in for Direct Marketing
UK GDPR/ PECR Requirement
Under PECR, in respect of direct marketing, although consent is seen as the ‘gold standard’, businesses can generally market to individuals where there has been a historic sale or negotiation for a sale without consent.
UK Proposal
The Government wishes to extend the use of soft-opt in to non-commercial organisations such as charities. It is also considering extending this to political parties.
Fines under PECR
UK GDPR/ PECR Requirement
Fines under PECR (which governs the use of cookies, direct marketing / unsolicited marketing and communications security) are significantly lower than those under GDPR.
UK Proposal
The Government does not believe the current regime is dissuasive enough and plans to bring the PECR enforcement regime in line with the UK GDPR and, as such, the ICO will have the power to levy fines of up to £17.5m or 4% of annual global turnover for breaches of PECR.
Adequacy Decisions
UK GDPR/ PECR Requirement
The UK’s ‘adequacy decisions’ in respect of other territories must be reviewed every 4 years.
UK Proposal
The UK plans to adopt ongoing monitoring but remove this 4-year requirement.
Transfer Mechanisms for International Data Transfers
UK GDPR/ PECR Requirement
Transfer mechanisms (such as the International Data Transfer Agreement or EU Standard Contractual Clauses (with a UK Addendum) should be used for transfers of personal data to non-adequate territories.
UK Proposal
Although it is not clear how this will look, the Government plans to ensure that data exporters can act ‘pragmatically and proportionately’ when using transfer mechanisms, and wishes to create new transfer mechanisms. However, organisations will not be able to propose their own transfer mechanisms and, as such, businesses can continue to expect a standard legal framework to use when transferring data internationally.
Lawful Bases: Public Task
UK GDPR/ PECR Requirement
One lawful basis for processing personal data is ‘Public Task’ (Article 6 GDPR) although statistics to date show that organisations are not clear on when it can be relied upon.
UK Proposal
The Government plans to clarify which lawful bases for processing personal data are available to organisations under Article 6 of the UK GDPR when they are requested by a public body to help deliver a public task.
Adequacy Status and Cross-Border Transfers
Post-Brexit, the UK Government departed from the EU GDPR. However, to freely share data with Europe, the European Commission requires that the UK maintains ‘adequacy’ status, meaning it must have an equivalent standard of data protection laws to that of the EU GDPR. Note that this doesn’t mean the laws have to be the same, but the level of protection must be equivalent.
At the moment this isn’t a problem – the Data Protection Act 2018 / UK GDPR mirrors the EU GDPR. However, in granting the UK ‘adequacy’, the European Commission has warned the UK that if it cannot guarantee a GDPR standard of protection in its reforms that it will lose its adequacy status.
The practical implications of the UK’s adequacy status being revoked are that additional contractual safeguards (for both existing and new contracts) would be needed, including transfer agreements and transfer impact assessments. The cost of this would undoubtedly lie with UK organisations processing personal data. That being said, the Government maintains that “EU adequacy decisions do not require an ‘adequate’ country to have the same rules, and our view is that reform of UK legislation on personal data is compatible with maintaining flows of personal data from Europe.”
There are indeed a number of countries outside of the European Economic Area (EEA) which have been granted ‘adequacy status’ by the European Commission (e.g. Japan), meaning that data can flow freely between that country and the EEA. Those territories have not adopted the GDPR but have been deemed to impose a similar standard of protection of personal data which is essentially the aim of the UK Government in reforming its data protection laws post-Brexit. The question is whether we can maintain adequacy status with the level of proposed reforms, and on the flip side if we shrink back the reforms, whether our new framework will truly drive innovation.
It is worth noting that the previously adopted ‘privacy shield’ allowing the free flow of data between the EEA and USA was invalidated in the infamous ‘Schrems II’ case in July 2020. The European Commission’s problem with the USA’s data protection regime is largely down to the extensive surveillance permitted to be carried out by the US Government. However, in recent months the EU has announced that it is close to reaching a deal with the USA in respect of international transfers, although the detail is yet to be confirmed. With that in mind, it looks as though there may finally be a simplified future for international personal data transfers which will hopefully extend to the UK.
Challenges
One important point to note is that organisations operating in both the UK and EU will be dual regulated, meaning they will have legal obligations to comply with both the UK regime and the EU regime. Whilst there are some mechanical nuances to being dual regulated, complying with the UK and the EU GDPR are very similar at present. As the UK moves to create its own legislation, further investment will be needed as well as a closer analysis of which processes can be streamlined and which need to be separated.
Although the Government has stressed that organisations who are currently compliant with data protection laws will be able to comply with the new regime, the resource, time and cost for businesses could be significant. Interestingly, the Government’s Analysis of Expected Impact on the changes estimates reforms could boost the UK economy by £1.04 billion over 10 years. This would increase to £1.45billion if adequacy is maintained. The Government is therefore estimating that if adequacy is revoked this will cost UK businesses £410m. The latest response from the Government states that it is producing an impact assessment with an updated breakdown of costs associated with the changes which may be ‘materially different’ to the figures indicated in its original analysis.
What Next?
There is no immediate clarity for organisations on steps they should be taking now, although the documents to date including the new UK Data Protection and Digital Information Bill provide some interesting insight on changes to come.
What businesses really want to know is what they need to do practically to comply with legal changes so they can resource up where needed and create new ways of working. This will hopefully become clear as the Data Protection and Digital Information Bill progresses through Parliament and our new data protection framework enters its next phase of development. It will also be interesting to see what resources will be available to organisations to help them on their compliance journeys if the aim is truly to simplify data protection compliance and enable innovation.
For more information on the Bill, click here.
To see the Consultation Response document, click here.
Should you require more information on the UK Data Protection and Digital Information Bill, please get in contact with one of our Privacy and Data Protection Experts.