Government announces Lasting Power of Attorney “revamp”
Following the UK’s departure from the EU, the Government wishes to reform the data protection legislation within this country in order to ‘unlock the power of data.’ For charities, does this mean the painful prospect of reworking their existing GDPR compliance regime or the promise of a lighter regulatory load?
From 10 September to 19 November 2021, the Department for Digital, Culture, Media & Sport ran a public consultation on reforms to the data protection regime now that the UK is able to unilaterally amend its own ‘UK GDPR’. The Government wrote that this means “removing barriers to responsible data sharing and use” and creating “an open, welcoming and secure environment where companies… can innovate and grow.”
Building on elements of the UK GDPR, the consultation proposes to remove unnecessary barriers while maintaining high data protection standards. In short, the Government is concerned that the prescriptive compliance regime has become a ‘box-ticking’ exercise, leading to an unnecessary regulatory load on organisations. Some of the proposals to lighten this load are as follows:
In the ICO’s Response to the consultation, the Information Commissioner supports the intention of the proposals above, but only in so far as they ensure the burdens of data protection compliance are proportionate to the risk of an organisation’s processing activities.
There is a balance to be struck between the burden on charities and the risk associated with their data processing. The Government seems to believe that the current regime does not strike this balance, relying on evidence that small organisations find the legislation difficult to understand and implement, including lack of clarity with respect to lawful bases and “overly prescriptive and onerous” record keeping requirements.
However, data protection risk is not associated with either the size of an organisation or its sector. Rather, small charities providing frontline services often process highly sensitive data, for example, relating to children or healthcare. Compliance must be tailored to the relevant data processing rather than the size or shape of the organisation.
The ICO Response makes a key point with respect to the introduction of more flexible compliance requirements – accountability needs to be enforceable. The removal of DPOs, DPIAs and prescriptive record-keeping may lighten the regulatory load but risk weakening both internal scrutiny within organisations and external enforcement by the ICO. For this reason, care will need to be taken to ensure that any additional flexibility is only available within a clear framework.
Whilst some clarification within the legislation would be welcome, the ICO also highlighted in its response there is already significant volume of guidance upon the ICO’s website for charities which are struggling to understand their obligations under the current regime. This provides detail on when and how to prepare a DPIA (including templates and guidance on when to consult the ICO), guidance on DPOs as well as record-keeping requirements and when to report a breach to the ICO. This latter includes a link to a self-assessment tool for any charity which is unsure if it needs to report a breach or not. There is specific guidance for small organisations when deciding whether to report a breach within a SME web hub, a repository of information tailored to smaller organisations. Although the ICO notes that it receives relatively few requests to consult, this may be particularly useful for charities which may be engaging in high risk yet novel processing activities.
The UK is currently relying upon the EU’s agreement that its data protection regime provides an essentially equivalent level of protection to individuals to facilitate smooth data flows from the EU to the UK. Whilst there is clearly the political will to provide more flexibility to organisations in complying with data protection law, the Government will be wary of straying too far away from the fundamental principles of the EU GDPR for fearing of upsetting these arrangements.
In conclusion, charities may welcome changes which allow them greater flexibility and autonomy in their data protection activities. However, these changes may introduce similar levels of compliance in another form, after charities have spent time and resource in adjusting their practices to comply with the current regime.
For organisations engaged in complex, sensitive or risky data processing activities, there are unlikely to ever be any easy routes to compliance. No amount of tinkering with the legislation will relieve such organisations of the burden of responsibility for fair, lawful, transparent and secure handling of this data.
Skip to content Home About Us Insights Services Contact Accessibility