UK data protection reform: Some much needed clarity

After many months waiting for further clarity, Emily Carter outlines what we now know about the direction of data protection reform in the UK following publication of the Data Protection and Digital Information (no. 2) Bill.

After the Government’s consultation in September 2021 and publication of the first Data Protection and Digital Information Bill in July 2022, the data reform process was paused last Autumn following the country’s change in prime minister to enable ministers to consider the legislation further. The new secretary of state responsible for the Bill, Michele Donelan, commented in her speech at the Conservative party conference in October 2002 that the GDPR would be ‘replaced’ with a business and consumer friend data protection system, raising the prospect of an entirely new approach to data protection.

After some lack of clarity about whether the bill would return to Parliament this session at all, the Data Protection and Digital Information (No. 2) Bill was published earlier this month. Although the confusion of the last six months is regrettable given the Government’s stated intention to provide certainty for business, there is now at least some clarity about the direction of travel. Rather than introducing any radical developments to the UK GDPR, many of the key elements of the revised bill relate back to the Government’s original proposals. The familiar principles and framework of the UK GDPR will remain in place.

The Bill retains a mixed bag of provisions, most intended to reduce regulatory burden upon organisations. This includes specific provisions relating to direct marketing, scientific research and automated decision making. Some of the general amendments applicable to all organisations are:

Amended definition of ‘personal data’

The definition of ‘personal data’ is the doorway to data protection regulation. Currently, personal data includes any information relating to an identified or identifiable person (Article 4 UK GDPR). The Bill imposes two further conditions: firstly, that the individual must be identifiable by ‘reasonable means’ and secondly, this assessment takes place ‘at the time of processing.’ 

It provides important clarity with respect to the risk and timing of identification given organisations cannot reasonably foresee whether the data sharing recipient may later acquire information which aids identification of individuals. This proposed amendment will be especially relevant to organisations whose operations depend on the processing anonymised data, for example, in the science and research community.

 

Fixed ‘recognised legitimate interests’

The Bill introduces a fixed list of ‘recognised legitimate interests’, which can be amended by the secretary of state, including national security, detecting and preventing crime and safeguarding. Where processing falls within these recognised legitimate interests, which may be reasonably rare for many private sector organisations, the usual balancing exercise does not need to be undertaken.

Separately, legitimate interest remains a lawful basis of processing under Article 6 UK GDPR, but the Bill sets out three “examples of the types of processing that may be processing that is necessary for the purposes of a legitimate interest”. These examples are: direct marketing, intra-group transfers and information systems security. This provides clarity, especially with respect to direct marketing, but does not reduce the compliance burden.

 

Risk based accountability record keeping

In a move away from ‘tick box’ compliance, the Bill places a greater responsibility upon organisations to identify and mitigate risk depending on the nature of its data processing activities.

The ‘Record of Processing Activities’ required by Article 30 UK GDPR will only be required where processing is likely to result in a ‘high risk’ to the rights and freedoms of individuals (‘high risk processing’). However, a Record of Processing Activities is a basic tool which underpins all compliance activity and will still be practically, if not legally, necessary.  As a starting point, for some organisations, Records of Processing Activities will be needed in order to assess whether they are in fact engaged in high risk processing.

Existing obligations to conduct specific Data Protection Impact Assessments (DPIA) will be replaced with a requirement to undertake an 'assessment of high risk processing’ which involve familiar, although slightly less detailed requirements, for compliance.  Again, when engaged in high risk processing, a full detailed assessment will be prudent irrespective of the statutory provisions.  

Although intended to lighten the burden upon organisations, organisations will still need to invest time and resource to properly engage with data processing risk in order to be able to demonstrate compliance with the data protection principles.  ‘High risk processing’ is not associated with the size or resources of an organisations. Some third sector organisations process large volumes of highly sensitive data, for example, providing social services. Therefore, ICO guidance and support will be essential.

 

Senior Responsible Individual rather than Data Protection Officers

The Bill proposes that Data Protection Officers (DPOs) will no longer be mandatory. For public bodies and organisations engaged in ‘high risk processing’ (defined in the same way as above), the Bill introduces a new statutory obligation to appoint a Senior Responsible Individual (SRI).

This is a distinct role to the existing DPO in that the SRI will have senior manager responsibility for data processing. They must be publicly named and registered with the ICO, and will have the statutory responsibility for the performance of a number of tasks including monitoring compliance, advising the controller of its obligations, training of employees, dealing with complaints, dealing with breaches and co-operating with the ICO.

All of the proposed SRI responsibilities may be delegated to others, for example, a DPO without senior management responsibility. Organisations will need to carefully consider whether they need a SRI, DPO or both. This is primarily a risk and governance issue.

 

International data transfers

When transferring personal data to countries based on appropriate safeguards, organisations will now need to ensure, acting “reasonably and proportionately,” that data protection standards in the destination country are “not materially lower than the UK GDPR.” Meanwhile, the Secretary of State will be applying a similar test when assessing whether third countries are adequate. Guidance will be needed to explain how this test applies in practice.

 

Subject access requests / complaints processes

The Bill proposes an amendment to the ‘manifestly excessive’ threshold for refusing to respond to a data subject access request (DSAR). However, whilst this provides some consistency with the Freedom of Information regime, organisations should expect that the threshold will remain high and their DSAR workload will not significantly decrease.

Meanwhile, the Bill places a new statutory obligation on organisations to have in place a formal complaints process, coupled with provision entitling ICO to refuse to deal with complaints which have not been considered by the organisations in accordance with this process. Although the ICO currently expects internal resolution to be attempted, organisations may need to build in a more formal complaints handling process into their internal information request handling structure.

 

Conclusion

In its original consultation paper, the Government reassured organisations that reform was a process of evolution rather than revolution and those which are compliant with the current regime would continue to be compliant. Will the Bill reduce the regulatory burden upon organisations going forward? Data processing activities are becoming increasingly complex and the stakes are only getting higher. Therefore, for most organisations, there are no short cuts or quick fixes and data protection will remain an inherently tricky and time consuming, but critical, part of organisational governance.

 

Further information

Should you require assistance with your organisation’s preparation for compliance with the reformed data protection legislation, please contact Emily Carter or the Data Protection team.

 

ABOUT THE AUTHOR

Emily Carter is a Partner in our Public Law team with expertise in Data Protection law and the application of the GDPR. Building upon her background in regulatory and criminal proceedings, she continues to represent clients in connection with public inquiries, major inquests and internal investigations.