UK data protection law reform advocates ‘privacy management’
September 17, 2021
What has happened?
In September 2021, the Department for Digital, Culture, Media and Sport issued a public consultation on potential reforms to the UK’s data protection regime.
What do you need to do?
A set of six principles guides the proposals set out in the consultation, which are;
- The UK’s data protection regime should create a net benefit for the whole of the UK, unlocking new economic opportunities both at home and abroad, and keeping society safe and secure,
- The regime should be future-proofed, with a responsive framework that enables responsible innovation and a focus on privacy outcomes that avoids imposing any rules today that become obsolete as the technological landscape evolves,
- The regime should deliver a high standard of data protection for citizens whilst offering organisations flexibility in determining how to comply most effectively,
- Organisations that comply with the UK’s current regime should still be largely compliant with any future regime, except for only a small number of new requirements,
- The Government’s approach to data protection should actively take into account the benefits of responsible use of personal data, while proactively maintaining public trust in such uses, and
- Effective, risk-based and preventative supervision is critical to realising a pro-growth and trusted data regime, and the ICO‘s world-leading status as the UK’s independent data protection regulator should be sustained
The key points within the consultation of the UK’s data protection regime are as follows.
- The Government proposes to create a limited, exhaustive list of legitimate interests, for which organisations can use personal data in order to give them more confidence to process personal data without unnecessary recourse to consent.
- The Government aims to encourage solutions that increase organisations’ confidence and expertise in responsible data sharing practices, possibly through the use of data intermediaries.
- The Government proposes to implement a more flexible and risk-based accountability framework that is based on privacy management programmes.
- To support the implementation of this new accountability framework, the Government proposes to remove and amend various requirements in the current legislation, as set out below.
- It proposes to remove the existing requirements to designate a data protection officer. The DPO would be replaced by the individual(s) responsible for the privacy management programme and overseeing the organisation’s data protection compliance.
- It proposes to remove the requirement for organisations to undertake a data protection impact assessment, so that organisations may adopt different approaches to identify and minimise the UK’s data protection regime risks that better reflect their specific circumstances.
- It proposes to remove the requirement for prior consultation with the ICO before carrying out high-risk processing, so it is no longer mandatory and organisations would not face any direct penalties for failing to consult the ICO in advance of carrying out the processing.
- It proposes to remove record keeping requirements under Article 30.
- It is considering whether to change the threshold for reporting a data breach to the ICO so that organisations must report a breach unless the risk to individuals is not material.
- In order to further support organisations that can demonstrate a proactive commitment to accountability, it is considering whether to introduce a new voluntary undertakings process in relation to breach remediation.
- The Government is considering whether to introduce a fee regime (similar to that in the Freedom of Information Act 2000, which provides for access to information held by public bodies) for access to personal data (subject access requests) held by all data controllers.
- The Government is considering two main options for tackling issues relating to the use of analytics data and of cookie pop-ups. The first option would permit organisations to use analytics cookies and similar technologies without the user’s consent, while the second option could permit organisations to store information on, or collect information from, a user’s device without their consent for other limited purposes.
- The Government proposes to extend the soft opt-in under the Privacy and Electronic Communications Regulations (PECRs) to electronic communications from organisations other than businesses where they have previously formed a relationship with the person communicated with, perhaps as a result of membership or subscription.
- The PECRs enforcement regime may be made more onerous.
- The Government intends to progress a programme of adequacy assessments of other countries’ data protection regimes and it will consider whether to make adequacy regulations for groups of countries, regions and multilateral frameworks. It will also relax the requirement to review the adequacy regulations every four years.
- The Government intends to explore legislative change to ensure that the range of alternative transfer mechanisms1 available to UK organisations in the UK GDPR is clear, flexible and provides the necessary protections for personal data.
1 Alternative transfer mechanisms provide a route for cross-border transfers of personal data to countries that are not subject to an adequacy decision. Alternative transfer mechanisms are typically agreements that provide binding and enforceable protections for individuals’ personal data when it is transferred internationally.
- The Government proposes to exempt ‘reverse transfers’ of data from the scope of the UK international transfer regime.
- The Government is considering whether to empower organisations to create or identify their own alternative transfer mechanisms in addition to those listed in Article 46 of the UK GDPR and proposes creating a new power for the Secretary of State to formally recognise new alternative transfer mechanisms.
- The Government is considering modifications to the framework for certification schemes1 to provide for a system that better supports the use of certifications as an alternative transfer mechanism.
1 Certification schemes are voluntary, market-driven frameworks of context-specific rules that, under the UK GDPR, can be used to demonstrate a high standard of compliance and to provide appropriate safeguards for international transfers.
- The Government proposes establishing a proportionate increase in flexibility for use of derogations (that is, exemptions from the rules on international data transfers) by making explicit that repetitive use of derogations is permitted.
- The Government proposes to introduce a new statutory framework that sets out the strategic objectives and duties that the ICO must fulfil when exercising its functions and introduces a new overarching objective for the ICO, in addition to its other functions, tasks and duties. The ICO would also have new duties on it to have regard for economic growth, innovation and competition when discharging its functions.
- The Government proposes that the ICO should deliver a more transparent and structured international strategy as part of its accountability and transparency requirements.
- The Government also proposes to empower the DCMS Secretary of State to initiate an independent review of the ICO’s activities and performance.
- For complaints, the Government proposes introducing a requirement for the complainant to attempt to resolve their complaint directly with the relevant data controller before lodging a complaint with the ICO.
- The Government is also proposing a requirement on data controllers to have a simple and transparent complaint handling process in place to deal with data subject complaints.
- The Government is proposing to introduce a new power for the ICO to be able to commission an independently produced technical report to inform investigations to obtain a view from a third party about aspects of a regulated organisation’s activities.
- The Government is exploring whether there is a need for a power that allows the ICO to compel witnesses to interview in the course of an investigation.
How can we help you?
If you’d like to know more about how we can help you understand the UK’s data protection regime or if you need support with your data protection or electronic marketing arrangements, our expert team is here to help.