For businesses that have spent the last few years getting to grips with their privacy obligations in the wake of GDPR coming into force in May 2018, the idea of further data protection reform and the fear of the potential need to go back to the privacy drawing board (regardless of the fact that the GDPR more than anything else largely turned the volume up on existing obligations dating back to the year 2000) may not be welcome news.
Dependent upon your point of view, however, there may be some scope for optimism. One of the UK Government’s 10 identified Tech Priorities is to unlock the power of data by removing barriers to its responsible sharing and use to improve the lives of its citizens. As far back as December 2020, the National Data Strategy descried data as a “strategic asset” which gives rise to huge opportunities, leading to the “Data: A New Direction” Consultation. This is a consultation that ran from September 2021 to June 2022 and whose full government response set the tone for how UK data protection regulation would be recast following the EU Withdrawal Period and the perceived opportunity to diverge away from the approach adopted within the GDPR. Doing that whilst remaining “adequate” and maintaining free and safe data flows to and from the EU whilst also working to try and ease an increased compliance burden on businesses across the length and breadth of the UK was and will be no small challenge.
With the stated intention of making the UK “the most attractive global data marketplace”, reform proposals included creating a framework to empower data subjects through the responsible use of their personal data and clarity over their rights as well as allowing businesses to realise the benefits of greater personal data use through reducing burdens which may have impeded it. The plan remains for the UK to reshape its approach to regulation outside the EU and seize the opportunities which that new perceived freedom provides.
This was the background to the introduction to Parliament of the Data Protection & Digital Information Bill. The process began with the closure of the “New Direction” Consultation and was paused in September 2022 to engage with business leaders and data experts on its implementation, noting that data-driven trade generated 85% of the UK’s total service exports in 2021, contributing around £259 billion to the economy. Now, at its second reading, businesses can get a better idea of what’s going to be expected of them.
The bill looks to introduce a simple, clear and notably business-friendly framework which isn’t intended to be difficult or costly to implement and will allow more flexibility around compliance than offered by the GDPR. There’ll also be less paperwork needed to demonstrate compliance through a reduction of red tape (including the requirement to carry out Data Privacy Impact Assessments – replaced by “Assessments Of High Risk Processing”), and a further clarification of when data is “personal”, and falls within its scope.
Specifically, businesses will now only need to maintain records of processing where involved in “high risk” activities assessed upon their nature, scope, context and purposes such as, for example, facial recognition systems. Data Protection Officers will become “Senior Responsible Individuals” who will only need to be appointed either where businesses are engaged in higher risk processing or as public bodies. SRIs will need to have a seat at the table, however, and form part of a Senior Management Team even if fulfilling other roles; this is a move away from the idea that a DPO could not be one of several roles which an individual could perform – it may be that businesses choose not to bundle data protection along with other compliance duties as part of the same job description if for no other reason than to demonstrate to the public that they continues to take privacy seriously. Additionally, businesses based outside of the UK but falling under the new regime will no longer need to appoint a UK representative. This may mean that any International Businesses processing data relating to UK citizens look to retain as much compliance in house as possible and may also mean that avenues for complaint are harder to pursue for individuals.
Attracting and retaining customers through Direct Marketing has also specifically been confirmed to be a “legitimate interest” and a potentially viable basis for the processing of personal data for the first time. The explanatory notes confirmed that pretty much any legitimate commercial activity may fall within the definition provided that it’s necessary and not outbalanced by the privacy rights of individuals. However, it’s significant that there won’t be any changes to the Privacy & Electronic Communications Regulations (“PECR”), meaning that businesses will still either need to obtain specific consent or be able to rely upon the ”soft opt in” to be able to send direct marketing messages. “Non-commercial” organisations will also be able to send direct marketing communications to individuals who provided their contact details when expressing support for their aims as per of a newly-extended soft opt-in. This will likely have an impact on businesses who may have been reticent to rely upon legitimate interest as a justification for collecting personal data for marketing purposes, although the right of individuals to opt out of receiving direct marketing messages at any time will remain.
With potentially great power, however, comes continued responsibility. Following the Information Commissioner’s Office’s recent introduction of new Direct Marketing Guidance, the limit for fines in the event of breaches of PECR will increase from £500,000 to £17,500,000 or potentially up to 4% of worldwide annual financial turnover in the case of an “undertaking”. This sends a particularly clear message that deterring spamming and scams is a huge priority under the new regime, and that fines may become more frequent and levied at a higher level.
Data Subject Access Requests will also be affected, with businesses being able to charge a fee or refuse to respond to requests which are “vexatious or excessive” as opposed to “manifestly unfounded or excessive” and made subject to updated timeframes. This may not make much difference in the short term given the lack of current guidance or case law as to when requests may be rejected, and many businesses may remain cautious and look to comply rather than potentially see themselves reported to the ICO by an aggrieved Data Subject.
In news that will likely be welcomed by both the public and by many businesses or organisations with an online presence, the Bill will also look to expand exemptions which allow cookies and other tracking technologies to be dropped onto devices without specific opt-in consent provided through website pop-ups or banners. This doesn’t mean that they’ll disappear entirely, though, the exemptions will cover collecting information to make improvements, enable functionality, reflect user preferences and installing security updates.
Finally, the ICO itself will be reorganized and modernized into a new “Information Commission” whose responsibilities will include the need to promote innovation and competition. The Information Commission will be reviewed by a new board appointed by the secretary of state, a move which has seen some raise the spectre of potential political interference with the functions of a previously independent regulator.
If many of these changes don’t seem particularly radical, that’s because they’re not. The reason for that is largely to ensure that the UK remains an “adequate” destination for personal data which continues to take privacy as seriously as individuals have come to expect given their increased awareness of their rights as data subjects. The reality is that, as is the case with the Online Safety Bill, the final detail of the new legislation is still some way from becoming clear and will be subject to intense lobbying before it becomes law. What we can likely say, however, is that if businesses are already compliant with the current regime then they will continue this with the new one and potentially have to spend less on compliance even if many may still continue to stick to the higher standards imposed by the GDPR at least for the meantime.
If you’re still working on achieving or maintaining that compliance, we’d love to get the opportunity to support you. For more information regarding the topics discussed in this article, please contact Steve Kuncewicz at Steve.Kuncewicz@glaisyers.com.
For more of the latest legal updates, check out more of our articles.