NEWS – “without comment”
The consultation lasted for 10 weeks and received almost 3,000 responses, including from the Information Commissioner’s Office (ICO).
On June 17, 2022, the United Kingdom (UK) government published its response to its consultation on reforms to the UK’s data protection laws. In effect, the response describes the extent to which the UK government intends to deviate from the General Data Protection Regulation (GDPR) in a post-Brexit world. In summary, rather than radical divergence from the GDPR, the proposals largely move the focus from process to outcomes. While the changes may not be radical, they inevitably add to the complexity of the regulations that data controllers and processors will need to comply. We summarize below some of the key proposals likely to have an impact on businesses operating in the UK.
In September 2021, the UK government produced a consultation paper entitled ”Data: a new direction” which sought comments on a number of proposals to reform the UK’s data protection regime post-Brexit. The aim of the consultation was to reform UK data protection laws in a way that would enable the UK to take a more ”pro-growth and innovation friendly” approach (the key areas of this consultation were covered in our previous article). The consultation lasted for 10 weeks and received almost 3,000 responses, including from the Information Commissioner’s Office (ICO). The UK government considered these responses and on June 17, 2022 it set out its own position. The UK government will now prepare a Data Reform Bill containing the amendments for consideration by Parliament.
Accountability Framework Reform
The UK government proposes to introduce a more flexible accountability framework underpinned by ”accountability management programmes.” In substance, these programmes would reflect the volume and sensitivity of the personal data processed by an organization. This is distinct from the requirements imposed by the GDPR. The four most notable changes relate to the existing requirements to: (A) appoint a DPO; (B) complete DPIAs; (C) maintain a record of processing; and (D) consult with the ICO in connection with certain high-risk processing.
- Data Protection Officers (DPOs)
The UK government plans to remove the mandatory requirement of the GDPR to appoint a DPO and instead proposes that responsibility be placed on a ”designated senior individual.” At present, there is no requirement for a DPO to be a ‘senior individual.’ By placing responsibility with a senior individual, the intention is to ”embed an organization-wide culture of data protection.” That proposal is similar to obligations imposed by the Bribery Act 2010 (UK) which requires organizations to “set the tone from the top” and ”create an anti-bribery culture.” Organizations will still be able to appoint a DPO provided there is oversight from an accountable and senior individual.
- Data Protection Impact Assessments (DPIAs)
The UK government proposes to remove the requirement for organizations to conduct DPIAs. However, they will still need to ensure they employ risk assessment tools to identify, assess and mitigate potential data protection risks.
- Record Keeping Requirements
In addition, the UK government plans to remove the record keeping requirements under Article 30 GDPR; instead, organizations will need to keep ”personal data inventories.” These inventories will still require records of where and why personal data is held as well as its level of sensitivity, but in a manner which is less prescriptive than what is currently required.
- Prior-Consultation Requirement
Lastly, the UK government plans to remove the mandatory requirement to inform the ICO of high-risk processing. Instead organizations will be encouraged to consult with the ICO voluntarily. The idea is that a voluntary based regime will encourage organizations to come forward more readily with high-risk issues. Prior consultation with the ICO by an organization will be considered as a mitigating factor if the ICO decides to pursue infringement proceedings against that organization at a later date.
While the UK government had considered easing the breach reporting requirements under Article 33 GDPR, it has now decided to leave the requirements as they currently stand. Instead, the UK government with consult with the ICO to explore the feasibility of providing clearer guidance on the topic.
Data Subject Access Requests (DSARs)
In the consultation, respondents were asked whether the threshold wording of ”manifestly unfounded or excessive” was setting the bar too high for organizations to refuse to respond to DSARs. Based on the responses, the government has decided to change the threshold so that organizations can refuse requests which are ”vexatious and excessive.” The idea is that this wording is less vague and will free up organizations to respond to less DSARs overall. Related to this, the UK government has also confirmed that it would not re-introduce the nominal fee for the processing of DSARs after respondents cited concerns about how this may the impact on vulnerable people.
The UK government confirmed that it would legislate to remove the need for websites to display cookie banners to UK residents. The requirement on websites to seek explicit consent for the placement of cookies not strictly necessary on a user’s device is currently mandated by an EU-derived law called the Privacy and Electronic Communications Regulations 2003 (PECR). Eventually, the UK government intends to change this law and phase towards an opt-out model for cookie consent with the provision that organizations would have to display clear information on their websites on how to opt-out.
In the immediate term, the UK government intends to legislate for cookies to be put on users’ devices without their explicit consent for a number of non-intrusive purposes (as yet to be defined). This opt-out model will not, however, apply to websites which are regularly accessed by children. The government will only introduce this opt-out model after consultation with both industry and the ICO and once it is satisfied that solutions for such a model are widely available for use. Of significance also, the government intends to raise the level of fines which can be levied by the PECR in line with that of the GDPR (£17.5 million or 4% of global turnover).
The UK government’s response to the consultation provides a good indication as to what will be included in the proposed Data Reform Bill announced in the Queen’s speech earlier this year. It is expected that a draft of the Bill will be published later in the year which will provide greater clarity as to the UK’s new direction on data protection.