Data Protection reform: A new direction for charities?

Following the UK’s departure from the EU, the Government wishes to reform the data protection legislation within this country in order to ‘unlock the power of data.’ For charities, does this mean the painful prospect of reworking their existing GDPR compliance regime or the promise of a lighter regulatory load?

From 10 September to 19 November 2021, the Department for Digital, Culture, Media & Sport ran a public consultation on reforms to the data protection regime now that the UK is able to unilaterally amend its own ‘UK GDPR’. The Government wrote that this means “removing barriers to responsible data sharing and use” and creating “an open, welcoming and secure environment where companies… can innovate and grow.”[1]

How the Government proposes to streamline compliance

Building on elements of the UK GDPR, the consultation proposes to remove unnecessary barriers while maintaining high data protection standards. In short, the Government is concerned that the prescriptive compliance regime has become a ‘box-ticking’ exercise, leading to an unnecessary regulatory load on organisations. Some of the proposals to lighten this load are as follows:

1. Implementing Privacy Management Programmes (‘PMPs’) in place of the activities required of organisations to demonstrate their compliance with the fifth principle of the UK GDPR, that of accountability. A PMP is a risk-based framework for the protection of personal data, reflecting the volume and sensitivity processed by a specific organisation;
    
2. Removing the requirement on certain organisations to appoint a Data Protection Officer (‘DPO’) and instead designate a person to be responsible for the PMP;
    
3. Removing the requirement to produce a Data Protection Impact Assessment (‘DPIA’) where processing of personal data is likely to result in high risk to individuals, instead relying on a PMP;
    
4. Removing the obligation to consult with the ICO prior to carrying out any processing of personal data where there is a high-risk which cannot be mitigated. Currently, this is mandatory, with a fine for non-compliance. The consultation’s proposal is that removing this will encourage more proactive and collaborative dialogue with the ICO;
    
5. Lightening the record keeping requirements by replacing the current detailed document keeping requirements of the GDPR’s accountability framework with simpler and more flexible requirements to keep certain records under a PMP, reflecting the volume and sensitivity of the data they process;
    
6. Clarification of the threshold for reporting a data security breach to the ICO in order to ensure that breaches are not reported unless the risk to individuals is material.

Balancing compliance with risk

In the ICO’s Response to the consultation, the Information Commissioner supports the intention of the proposals above, but only in so far as they ensure the burdens of data protection compliance are proportionate to the risk of an organisation’s processing activities.

There is a balance to be struck between the burden on charities and the risk associated with their data processing. The Government seems to believe that the current regime does not strike this balance, relying on evidence that small organisations find the legislation difficult to understand and implement, including lack of clarity with respect to lawful bases and “overly prescriptive and onerous” record keeping requirements. 

However, data protection risk is not associated with either the size of an organisation or its sector. Rather, small charities providing frontline services often process highly sensitive data, for example, relating to children or healthcare. Compliance must be tailored to the relevant data processing rather than the size or shape of the organisation. 

Clarity and accountability

The ICO Response makes a key point with respect to the introduction of more flexible compliance requirements – accountability needs to be enforceable. The removal of DPOs, DPIAs and prescriptive record-keeping may lighten the regulatory load but risk weakening both internal scrutiny within organisations and external enforcement by the ICO. For this reason, care will need to be taken to ensure that any additional flexibility is only available within a clear framework. 

Whilst some clarification within the legislation would be welcome, the ICO also highlighted in its response there is already significant volume of guidance upon the ICO’s website for charities which are struggling to understand their obligations under the current regime. This provides detail on when and how to prepare a DPIA (including templates and guidance on when to consult the ICO), guidance on DPOs as well as record-keeping requirements and when to report a breach to the ICO. This latter includes a link to a self-assessment tool for any charity which is unsure if it needs to report a breach or not. There is specific guidance for small organisations when deciding whether to report a breach within a SME web hub, a repository of information tailored to smaller organisations. Although the ICO notes that it receives relatively few requests to consult, this may be particularly useful for charities which may be engaging in high risk yet novel processing activities.

The likely direction for reform

The UK is currently relying upon the EU’s agreement that its data protection regime provides an essentially equivalent level of protection to individuals to facilitate smooth data flows from the EU to the UK. Whilst there is clearly the political will to provide more flexibility to organisations in complying with data protection law, the Government will be wary of straying too far away from the fundamental principles of the EU GDPR for fearing of upsetting these arrangements.

And finally, risk assessment is crucial

In conclusion, charities may welcome changes which allow them greater flexibility and autonomy in their data protection activities. However, these changes may introduce similar levels of compliance in another form, after charities have spent time and resource in adjusting their practices to comply with the current regime.

For organisations engaged in complex, sensitive or risky data processing activities, there are unlikely to ever be any easy routes to compliance. No amount of tinkering with the legislation will relieve such organisations of the burden of responsibility for fair, lawful, transparent and secure handling of this data.