What will the Data Reform Bill mean for UK businesses operating in the EU?
At the state opening of parliament on 10 May, the Prince of Wales announced the government’s intention to reform the UK’s data protection regime. Since Brexit, this has comprised two complementary laws – the UK GDPR (General Data Protection Regulation) and the DPA (Data Protection Act) 2018.
The UK GDPR applies both to UK organizations that collect, store or otherwise process the personal data of individuals residing in the UK, and to non-UK organizations that offer goods or services to, or monitor the behavior of, UK residents. As its name suggests, the UK GDPR is based on, and is substantially similar to, the EU GDPR, which applied in the UK before Brexit.
The DPA 2018 supports the UK GDPR and applies to certain types of processing that are outside the Regulation’s scope, including processing by public authorities. The DPA 2018 also sets out data processing regimes for law enforcement processing and intelligence processes.
The GDPR originated in the EU – although with significant input from UK experts and the UK’s data protection authority, the Information Commissioner’s Office (ICO) – so Boris Johnson’s government, elected on a promise of getting Brexit done and cutting EU red tape, has long earmarked it for reform.
According to the official briefing notes for the Queen’s Speech, reforming the UK GDPR and DPA 2018 should “create over £1bn in business savings over 10 years by reducing burdens on businesses of all sizes”, such as “excessive paperwork” and other obligations that have “little benefit to citizens”.
The outcome of the Department for Digital, Culture, Media and Sport consultation on data protection reform has now been published and the principal recommendations that will be carried through to legislation are now known.
In essence, these proposals seek to lessen the administrative burden on organizations (reducing “red tape”), while maintaining an adequate level of protection for individuals’ rights.
The key requirements are as follows.
Organizations must implement privacy management programs
Maintaining the principle of accountability is key, and this is intended to be maintained by implementing a privacy management programme, which needs to be proportional to the risk created by the organisation’s data protection processing activities. The government believes that such programs “will place greater emphasis on the principles at the core of accountability, such as organizational responsibility; risk management; transparency; training and awareness of staff; and continuous monitoring, evaluation and improvement of data protection management within an organization”.
In practice, this is often the approach already taken by larger or more complex organisations. This broader approach is to be welcomed, as it will encourage the many smaller organizations that perhaps currently do not do enough to review and modify their practice in order to introduce a more appropriate data protection program.
Removal of the requirement to designate a DPO
Article 37 of the UK GDPR requires a data protection officer (DPO) to be appointed in certain specific circumstances. Currently, it is not mandatory for the vast majority of UK organizations to appoint a DPO.
A data protection officer is responsible for:
- Representing or delegating a representative to the ICO and data subjects.
- Ensuring appropriate oversight and support is in place for the program and appointing appropriate personnel.
- Providing tailored training to ensure staff understand the organization’s policies.
- Regularly auditing the efficacy of the programme.
The new proposal is that organizations must appoint a “senior responsible individual” as a data protection officer. The government hopes that this “will shift the emphasis to ensure data protection is established at a senior level to embed an organisation-wide culture of data protection”.
While this is a “headline” proposal, it probably will not make a substantial difference to the administrative burden for many organizations. The key challenge will be to ensure that the “senior responsible individual” has a suitable working knowledge of the law and data protection to effectively undertake their duties.
In practice, we are sure that many organizations will continue to delegate the detail of managing their data protection programs to experienced professionals. The government suggests that “some organizations that process large volumes of highly sensitive data might continue to appoint and resource data protection officers where they consider that is the best way to monitor and improve compliance”.
A more flexible approach to DPIAs
Article 35 of the UK GDPR requires organizations to carry out a data protection impact assessment (DPIA) when a type of processing is likely to result in a high risk to data subjects’ rights and freedoms. The government is legislating to remove the mandatory requirement to undertake DPIAs for high-risk processing, as it believes that “data protection impact assessments can be a more prescriptive duplication of other risk assessments that achieve the same outcome performed within an organisation; for example, organizations which have compliance teams performing wider risk analysis which sometimes ends up duplicating some of the requirements under the data protection impact assessment requirement”.
Other than a DPIA or specific privacy risk programme, it is extremely rare to find any risk assessment in an organization that recognizes the risks to individual data protection rights. For this reason, it is highly unlikely that this change will be material. In fact, it may actually increase the administrative burden on organizations by extending the requirement to “ensure there are risk assessment tools in place for the identification, assessment and mitigation of data protection risks across the organization” as part of their privacy management programme.
However, the increased focus on formal risk assessments that this legislation will inevitably bring is welcome.
Changes to the requirement to keep records of data processing activities
Article 30 of the UK GDPR requires data controllers to keep specific records of their data protection processing. The government will legislate to replace this requirement with a more general requirement where “organizations will need to have personal data inventories as part of their privacy management program which describe what and where personal data is held, why it has been collected and how sensitive it is ”.
Superficially, this would appear to be a simplification of the existing requirement, removing the need to document some of the existing characteristics of the processing – for example, envisaged time limits, international transfers and appropriate safeguards. However, in practice, many of these attributes will still have to be maintained for an effective privacy management program and associated risk assessments. It is hard to envisage how this proposal constitutes a material saving in administration for organizations and, sadly, looks like rearranging the deckchairs.
Other GDPR-related changes
There are several other changes to the existing GDPR-based regime being legislated that will not have a significant impact on the vast majority of organizations. These include a change from mandatory to voluntary consultations with the ICO in relation to new high-risk data processing, and changing the current threshold for refusing or charging a reasonable fee for a subject access request from “manifestly unfounded or excessive” to “vexatious or excessive”, which will bring it into line with the Freedom of Information regime.
Changes to PECR and cookies
The consultation also focused heavily on reviewing the controls introduced by the Privacy and Electronic Communications Regulations (PECR) – in particular, the requirement to display cookie banners on websites.
The government will introduce legislation to remove the need for websites (and other connected devices) to display cookie banners to UK residents and “in the immediate term, the government will permit cookies (and similar technologies) to be placed on a user’s device without explicit consent, for a small number of other non-intrusive purposes”. The example quoted is for website analytics.
Interestingly, the government will also require websites to respect automated signals emitted by browsers and intends “to move to an opt-out model of consent for cookies only when the government assesses these solutions are widely available for use”.
Anything that provides greater clarity for organizations on where cookies can be used without specific consent is to be welcomed. However, it is not yet clear what will be allowed. We imagine that privacy-intrusive cookies – such as those that track an identifiable user’s behavior or allow cross-site marketing – will still require active consent and therefore a banner. I also see the requirement to respect “do not track” signals from browsers as useful clarity.
There is welcome news for charities and other non-commercial organizations, which will be permitted to benefit from the so-called “soft-opt-in”. This will allow an opt-out regime for marketing communications but “in parallel, will take steps to make sure that appropriate safeguards are in place to protect individuals who do not wish to continue receiving communications”.
Perhaps the most encouraging element of this proposal is the government’s intention to introduce the same level of fines for breaches of the PECR as for the GDPR. This will bring the threat of a 4% global turnover fine for cookie misbehaviour clearly into focus, along with other bad marketing communications practices.
International data transfers
Currently, the rules regarding international data transfers under the GDPR-equivalent legislation can be highly complex to manage. The government intends to move away from the existing GDPR-based structures and “intends to create an autonomous framework for international data transfers that reflects the UK’s independent approach to data protection, that helps drive international commerce, trade and development and underpins modern-day business transactions and financial institutions. The UK’s approach will be driven by outcomes for individuals and organisations”.
This is probably the most contentious area to be addressed in the proposed legislation. It is clearly an area where the UK intends to move out of alignment with the current adequacy arrangements and therefore is likely to be subject to intense scrutiny, particularly if the suggested changes will allow the data of UK citizens to travel more easily (and less transparently ) to counties with less rigorous data protection regimes – potentially lowering the overall level of data protection currently afforded to data subjects.
When looked at in detail, the proposed, individual changes do not appear to be as significant as their whole might suggest. It is highly likely that organizations will still have to undertake very similar levels of administration. For example, should the requirements in Article 35 change and DPIAs be replaced, this may be exceeded by the need for organizations to have a demonstrable and proportionate privacy management system. The shift to a more centralized and cohesive risk assessment regime is welcomed, as is clarity on cookies and the big uplift in fines for breaching the PECR.
To fully understand the impact on individuals’ rights, we will need to wait for more detail. However, the general principles of the proposal would appear to support these rights and continue to ensure that organizations are fully responsible for their implementation. The ones to watch, where there may be a risk of eroding individual rights, include the specifics on allowable cookies and details on international transfers.
Peter Galdies is founder and senior consultant at DQM GRC. He is a data and technology professional with over 30 years’ experience, providing expert advice on implementing privacy in real business situations with a particular emphasis on privacy-by-design. DQM GRC is a specialist data protection and privacy consultancy. It is part of GRC International Group and has 25 years’ experience in data regulation and practices.