On 18 July, the Government laid before parliament the Data Protection and Digital Information Bill (DPDIB) which sets out the detail behind the much anticipated data protection reform announced by the Government in the Queen’s speech earlier this year. The DPDIB amends the UK GDPR, the Data Protection Act 2018 (DPA 2018) and the Privacy and Electronic Communications (EC Directive) 2003 (PECR).
What are the key proposed changes for businesses?
The DPDIB is lengthy (nearly 200 pages long) so we have set out below some of the key changes but more detailed articles will follow on some of these points and others covered by the DPDIB.
One of the key changes under the DPDIB is that it seeks to clarifying how personal data can be used for research, statistical and historical purposes and assists organisations with determining how personal data can be used for further processing (i.e. where an organisation wants to use the personal data for a purpose other than the purpose for which it was originally collected). The aim of these amendments includes clarifying the meaning of research, statistical and historical research purposes and removing uncertainty around how uses of personal data can be changed in a way which complies with the UK GDPR.
The UK GDPR permits use of personal data where it is necessary for the legitimate interests of the controller or a third party provided the interests are not overridden by the rights and freedoms of the individual. This requires an assessment to be carried out (referred to as the balancing test) to ensure rights and freedoms of individuals are not overridden. The DPDIB specifies that certain interests are ‘recognised legitimate interests’ which means it will not be necessary to carry out that balancing test and the DPDIB has created a new lawful ground where the processing is necessary for a recognised legitimate interest.
The recognised legitimate interests set out in the DPDIB are not particularly helpful to businesses and only remove the burden of carrying out the balancing test in relation to a number of fairly narrow scenarios (e.g. national security, public security and defence, safeguarding and democratic engagement). Further detail on these changes will follow in a separate article.
Article 27 Representatives
Under the UK GDPR organisations outside of the UK that are subject to the UK GDPR for some or all of their processing activity must appoint a representative in the UK to liaise with the ICO and individuals on behalf of that organisation. The DPDIB removes this requirement. This change was not originally anticipated in either the consultation or consultation outcome.
Data Protection Officer (DPO)
The mandatory requirement to have a DPO in certain circumstances under the UK GDPR has been removed and replaced with a requirement to have a 'senior responsible individual' (SRI). Only public bodies and those carrying out high risk processing will be required to appoint a SRI. This person must be part of the organisation's senior management (e.g. play a significant role in the making of decisions) and there are requirements around their engagement. In general terms, the role of a SRI is similar to that of a DPO save that the DPDIB makes it clear that a SRI appointed by a processor has more limited tasks.
Article 30 Records of Processing
The UK GDPR requires certain organisations to keep records of the processing activity they carry out. The DPDIB removes this existing requirement and replaces it with new record-keeping obligations. However, the obligations on controllers under the DPDIB are not materially different to those under the previous regime but the records which processors are required to keep are reduced.
Under the DPDIB, the requirements are listed as the minimum information required with organisations being obliged to keep 'appropriate' records (having considered the nature of the personal data concerned and the activities, risks to individuals and available resources). For organisations that currently maintain an Article 30 Record under the UK GDPR, their records should meet the minimum requirements under the DPDIB. However, we will need to wait for guidance to establish the extent to which organisations may be required to go beyond the minimum information listed in the DPDIB. Certain organisations will be exempt from this requirement and the exemption has also been simplified under DPDIB so that no record keeping is required for organisations with less than 250 employees unless they carry out high risk processing.
Data Protection Impact Assessments (DPIA)
Under the UK GDPR, carrying out a DPIA for certain types of processing was mandatory. This has been replaced in the DPDIB with an 'assessment of high risk processing'. The information required in an assessment of high risk processing appears to be more limited than a DPIA so this is represents a reduction in obligations on organisations.
Under PECR consent is required before any cookies (which includes similar technologies) which are not 'strictly necessary' are set on a user's device. Currently, consent is required before an organisation can store information or gain access to information stored on the users device for example, analytical cookies which are used on most websites require consent and information to be provided to the user before they are set. Complying with these rules can mean organisations are unable to gather information relating to the use of their website.
Data Protection Rights
In addition to the above, there have been various further changes from a data protection perspective relating to automated decision making and data subject rights which will be the subject of future articles. Of particular note are the provisions under DPDIB which relate to data subject rights, these have been updated to give controllers greater ability to either refuse to respond to a request or charge a fee. More detail will follow on this in a separate article.
What now for the DPDIB?
The DPDIB has just been laid before parliament so it is relatively early days in terms of knowing what the final legislation will look like and whether any change in the Prime Minister or Secretary of State will lead to a change in approach. The date for the second reading of DPDIB has not yet been set so it is difficult to predict when this process will be completed and the legislation will take effect. This is an area to be keeping a close eye on for the rest of this year.
What does this mean for your organisation and what should you be doing in the meantime?
As you can see from the above, many of the proposed changes either add clarity to existing rules (and therefore do not mean new compliance requirements exist), or are a change in approach which reduces some of the burden placed on businesses under the UK GDPR. So for now, in respect of the DPDIB, it’s as you were. Continue with your UK GDPR and privacy compliance and that will put you in a good place for this new regime. The most significant question is whether the changes proposed will, in the eyes of the EU, mean personal data is not considered to be adequately protected in the UK and put the UK's adequacy decision with the EU at risk. The adequacy decision allows for the free flow of data from the EU to the UK without controllers having to put any additional measures in place – but watch this space!
For further information on the new UK cross border transfer regime, please see our article here.