It’s been a turbulent few months in the UK. Since 18 July when the Data Protection and Digital Information Bill was introduced in the House of Commons, the Queen has died, Liz Truss has resigned, and a recession is looking increasingly likely. The Bill’s second reading, which was due on 5 September, was postponed because of a change of Prime Minister. On 13 October, Conservative minister Julia Lopez confirmed ministers are still considering its proposals.
The Bill stems from the government’s plans to “seize the benefits of Brexit” by updating and simplifying data protection law in the UK. The government says it wants to reduce regulatory burdens on businesses while maintaining high protection standards demanded by the GDPR.
The current secretary of state for the Department for Culture, Media and Sport, Michelle Donelan, told the recent Conservative party conference she would be: “replacing GDPR with our own business and consumer-friendly British data protection system”.
“It’s time we seize this post-Brexit opportunity fully and unleash the full growth potential of British business,” she added. “We can be the bridge across the Atlantic and operate as the world’s data hub.”
This latest announcement has created unwelcome uncertainty for business. Of course, with the UK government so unstable, Donelan’s announcement may be moot. But here are some of the main changes the Bill introduced by Boris Johnson’s government proposes to introduce:
Changes to the UK GDPR
The Bill proposes a list of recognised legitimate interests (eg. detecting, investigating or preventing crime), which would form a new lawful basis for processing personal information and remove the requirement to conduct a legitimate interests assessment. Any processing would still need to satisfy the principles of necessity and proportionality. This would prevent, for example, an employer conducting intrusive surveillance of employees in the name of detecting, investigating or preventing crime – we’re looking at you, Ikea.
Subject access requests (SARs)
As it stands, an organisation can refuse to comply with a SAR or charge a reasonable fee for complying with it if it’s considered manifestly unfounded or excessive. The Bill would change the threshold for charging a fee, bringing it in line with the grounds to refuse a freedom of information request. However, critics have pointed out that equating SARs with FOI requests is problematic as while anyone can submit a FOI request, SARs are restricted to the requestor’s own personal information.
Data subjects would have the right not to be subjected to automated decision-making where their personal information being processed is special category data, as opposed to the current general prohibition. Controversially, any exceptions and safeguards could be easily amended by a secretary of state in the future, as opposed to via a Bill that has to win approval in the House of Commons and the House of Lords.
Organisations based outside of the UK with no presence in the country will no longer be required to appoint a representative in the UK. The purpose of representatives is to make it easier for UK residents to enforce their UK GDPR rights and for the Information Commissioner to exercise its powers against organisations based outside the UK.
Data protection officers (DPOs)
Certain businesses are required to appoint a DPO with expert knowledge of data protection law, who is given specific protection under the UK GDPR to perform their duties. This requirement will be replaced with an obligation to designate a ‘senior responsible individual’ (who should be a member of the senior management team) with responsibility for data protection matters.
Article 30 record or record of processing activities (ROPA)
The requirement to keep a record of data processing activities set out in Article 30 of the UK GDPR will be replaced with a requirement to maintain an ‘appropriate record of personal data’. Organisations whose records comply with the current form prescribed by the UK GDPR, will satisfy the requirements set out in the proposed Bill. Organisations which sell into the EU must continue to keep a record of processing activities in the current form anyway.
Data protection impact assessments (DPIAs)
The new requirement is for ‘assessments of high-risk processing’ rather than DPIAs, and is more limited in scope. The obligation to consult with the Information Commissioner where a high risk to the rights and freedoms of individuals has been identified but cannot be mitigated will become voluntary. DPIAs are vital in mitigating risk and potential data protection harms to individuals. It is as yet unclear what the practical differences will be between a DPIA and an ‘assessment of high risk processing’ but any ‘watering down’ of such assessments would be undesirable and, in any event, a UK business which wants to sell into the EU would still be required to conduct a DPIA in high risk circumstances.
Data protection complaints
The Information Commissioner will be given new powers to refuse to act on an individual’s complaint if it has not also been made to the relevant organisation, if the company has not finished dealing with the complaint (and 45 days have not passed), or the complaint is vexatious or excessive.