4 Min Read

UK data protection compliance: The journey in a new direction begins

Read more

By Jade Kowalski and Charlotte Halford

|

Published 20 June 2022

Overview

On Friday 17th June 2022, the UK Government published its eagerly awaited response to the “Data: a new direction” consultation.

As a reminder, the consultation (which ran from September – November 2021) sought views on a number of proposals to amend the UK’s data protection laws post-Brexit, with a particular focus on meeting the aims of the UK’s National Data Strategy. Almost 3,000 responses were submitted and have been considered by Government. The consultation response provides some clarity regarding the areas where we will (and, just as importantly, will not) see a move away from the requirements of the UK GDPR as part of the Data Reform Bill.

Key takeaways from the response

The Government proposes to make a number of changes to existing requirements including the following:

  • Accountability. The requirements to appoint a Data Protection Officer; carry out a Data Protection Impact Assessment; and maintain a Record of Processing Activities, will be removed. However, notably, these obligations will be replaced with requirements to appoint a “suitable senior individual” with responsibility for privacy; implement risk assessment tools; and a “flexible” record keeping requirement.
  • Cookies. The requirement for a “cookies banner” as part of collecting consent will be removed. In the short term, the consent requirement for a “small number of non-intrusive purposes” will be removed (although it is not clear how this will be defined) and consent requirements will be adapted. In the longer term, opt-in consent will be replaced with an opt-out model and with a view to optimising the use of browser based solutions.
  • PECR enforcement. The fining regime under the Privacy and Electronic Communications Regulations 2003 will be brought into line with the fining regime under the UK GDPR/Data Protection Act 2018.
  • Data transfers. Of particular note for clients who are part way through Schrems II related remediation programmes, reforms will be pursued to ensure that proportionality is key to the assessment of appropriate safeguards when using alternative transfer mechanisms (such as the International Data Transfer Agreement or UK Addendum to the EU Commission Standard Contractual Clauses). The process for assessing third countries as “adequate” will be adapted and relaxed (for example, the requirement to reassess adequacy every 4 years will be removed).
  • The ICO. There will be a number of reforms to the ICO itself including the creation of a statutory framework; a new “overarching objective”; a statement of strategic priorities set by the Secretary of State; and duties in relation to: (i) growth, innovation and competition; and (ii) public safety.
  • Lawful basis of legitimate interests. An “approved” list of certain legitimate interests will be created. If a processing purpose appears on this list then the “balancing test” will not be required.
  • New processing condition for AI and machine learning. A new processing condition for special categories of personal data will be created to enable the processing of such data for bias monitoring purposes (although, interestingly, such purpose will not be included within the approved list of legitimate interests above, meaning that a balancing test will be required in each case).
  • Clarifying data regarded as anonymous. A test defining the threshold for “anonymous” data will be incorporated into legislation.
  • Data subject access requests. The threshold for refusing to comply with, or charging a reasonable fee for, a subject access request will be amended from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’. However, a standard fee for all requests (as was in place under the Data Protection Act 1998) will not be re-introduced.

However, based on feedback, proposals will not be pursued in a number of areas including:

  • Fair use of personal data for AI and machine learning purposes. The Government will not legislate to address the fair use of personal data in AI within data protection legislation.
  • Rights in relation to profiling and automated decision making. These rights will not be removed (although may be reformed in some way so as to align with proposals regarding the use of AI).
  • Personal data breach reporting requirements. There will be no change to personal data breach notification threshold requirements.

A key concern is the impact that any change in UK law may have on its status as an “adequate jurisdiction” for the purposes of data exports from the EU. We await commentary on the UK proposals from key EU institutions.

Many organisations will only just be beginning to feel comfortable that the requirements of the GDPR have been properly embedded and the prospect of reconsidering privacy frameworks in light of new legislation will likely feel daunting. This will be particularly true for those privacy teams who span both the UK and EU and will be faced with the dilemma of whether to deviate from existing policies in order to take the benefit of the proposals in the UK or maintain the simplicity of compliance with one standard across both the UK and EU. The approach will likely depend on how beneficial the reality of the amendments to the UK regime will be in practice.

Your DACB Data Protection, Cyber & Information Law team will be bringing you detailed analysis of the full consultation response, as well as sector specific commentary, to help you navigate this new chapter of data protection developments. The journey in a new direction begins!

Your DACB team:

Jade Kowalski

Hans Allnutt

Patrick Hill

Khurram Shamsee

Charlotte Halford

Eleanor Ludlum

Chris Air

Darryn Hale

Sophie Devlin

Authors