Data Protection; what changes are in the pipeline?
Background and context
The backbone of data protection law in the UK for the last five years has been the European Union’s General Data Protection Regulation (GDPR). Implemented in UK law through the Data Protection Act 2018 (DPA), GDPR is widely viewed as a pioneering piece of data protection legislation.
But the government has been eyeing up potential changes to GDPR since Brexit came into force. In particular, the publication of the National Data Strategy in September 2020 and the 2021 “Data: A New Direction” consultation showed that the government were ready to “reshape regulation outside the EU” by creating a “free flow” of data, reducing burdens on businesses and preventing scientists from being impeded by red tape.
The first version of the DPDI ended up falling victim to the political upheaval that hit the UK in the summer of 2022, but the second (and current) version of the DPDI was published on 8 March 2023 by Michelle Donelan, Secretary for State for Science, Innovation and Technology. Heralded as a change that would save the UK economy approximately £4.7 billion over 10 years, the DPDI recently passed its second reading in the Commons.
At 214 pages long, the DPDI consists of amendments, insertions and removals to the DPA.
For all that the government have claimed that the DPDI represents a “new system” of data protection, these changes are built within the existing structure of the GDPR, and this means that UK businesses that already comply with GDPR will only need to make minor changes if they wish to go about business as usual.
That said, there are a number of changes worth discussing.
Clarifying the definition of “personal data”
The protections and requirements of GDPR only apply to personal data. Any data that is not personal is exempt from all the handling and processing requirements of GDPR. It is therefore very important for businesses to know when information is and is not personal.
At present, personal data is defined as “any information relating to an identified or identifiable living individual”.
The DPDI amends this to:
• The controller or processor of the data can identify a living individual, by reasonable means, using only that data without any further information; or
• Another person will, or is likely to, obtain the information as a result of the processing and a living individual will be, or is likely to be, identifiable by reasonable means, by that person.
The added definition is intended to make clearer what data is subject to GDPR.
This tightens the definition of ‘personal data’ by showing that even data deriving from an individual can be exempt from GDPR if the person processing it cannot use the data to identify the individual it comes from. If less data is considered personal, it will result in less admin and expense on the part of an organisation. The definition was, and still is, broad, so it is hard to know at this stage how significant this change could be.
Subject Access Requests: “vexatious”
Under the current rules, Subject Access Requests (SARs) can only be refused (or charged for) if a request is deemed to be “manifestly unfounded or excessive”. This is a high bar that only justifies refusal of an SAR in serious circumstances.
“Manifestly unfounded” is to be replaced completely with the new term “vexatious” (“intended to annoy someone or cause problems for them”). This threshold is clearly lower, enabling organisations to more comfortably refuse SARs when they are plainly intended to hinder operations.
The government argues in its impact statement that this will save businesses costs and it is hard to disagree. This is a common-sense, positive change that will undoubtedly be welcomed by UK businesses.
Data Protection Officers (DPOs)
Under the DPDI, the role of DPO is to be scrapped entirely and replaced with the new role of “Senior Responsible Individual” (SRI).
Almost all of the requirements for this role are unchanged, so businesses who employ internal DPOs will find that nothing changes except the title.
However, there is one very significant change: the SRI must be an “individual” who is “part of the organisation’s senior management”. Under current arrangements, many businesses choose to appoint someone external to act as DPO. On the face of it this means that external DPOs will no longer be permitted.
However, there appears to be a loophole: the SRI is able to meet the requirements of their role by “securing that [their tasks] are performed by another person”. There is no stipulation that the other person has to be internal. Presumably, therefore, the SRI would be allowed to ‘outsource’ their day-to-day work to an external third party.
The importance of an organisation taking responsibility for the protection of personal data is clear, and it is possible that the proposed change may prompt some organisations to run a tighter ship internally. However, the change comes with some significant drawbacks: an external DPO arrangement can enable businesses to access expert data protection advice without creating an employer/employee relationship to do it.
The government has stated that those already complying with GDPR will not need to make significant changes. However, bringing this role back in house is a significant change. The government has been asked for clarity on this. We also contacted the ICO to ask for clarification on this point, but as the DPDI is still at bill stage, the ICO were unable to advise on specific details. We will therefore need to watch this space to see whether any amendments are made or clarity given.
Clarification of “scientific research”
Permission is already granted under the DPA for personal data processing in any research that can reasonably be described as ‘scientific’. The DPDI adds an express acknowledgement that this can include commercial activity.
Direct marketing: tightened restrictions and increased punishments
GDPR already contains regulations governing how and when direct marketing is appropriate. The DPDI further tightens UK law in this area; all providers of electronic communications networks (internet service providers, for example) will be obliged to notify the ICO of any “reasonable grounds” they have for suspecting that someone has contravened direct marketing rules.
In addition, the maximum fine breaching those rules has increased considerably, to £17.5 million or 4% of global annual turnover (whichever is higher). This is a clear attempt by the government to crack down on spam calls and emails, a goal that will surely be welcomed by almost everyone.
Record-keeping and “high risk”
Under existing GDPR rules, it is a requirement for organisations to keep records of their data processing activity. The DPDI makes a significant change in this area: it amends the UK GDPR to clarify that processors and controllers are exempt from the requirement to keep records of their processing, unless they are “carrying out high risk processing activities”.
This change potentially unburdens countless organisations and business from onerous record-keeping requirements depending on whether their processing is “high risk” or not.
Determining what is “high risk” therefore becomes very important, and this is another area where the DPDI makes changes. Under GDPR, detailed guidance on “high risk” was available in an EU document called “WP248”, but new guidance will be required given that the UK is no longer subject to it. Clause 17 of the DPDI therefore imposes a duty on the Information Commissioner’s Office (ICO) to publish a guidance document giving examples of types of ‘high risk’ processing.
It is likely that the ICO’s document will resemble WP248, but there is no way of guaranteeing that until it is published. It is therefore uncertain how radically this will change the definition of ‘high risk’, making this an area to keep a close eye on.
Reforms to the ICO
The DPDI brings sweeping changes to the structure, powers and objectives of the Information Commissioner’s Office. The ICO is to be set up with a board, chair and chief executive in line with the UK’s other regulators, with a clearer statutory framework giving it express goals and objectives, requirements to publish instructive guidance for data processors, and stronger enforcement powers to go after those who breach the rules.
As with any large package of reforms, the proof will be in the pudding. Will creating a new regulator add more red tape?
European data transfers and adequacy
The EU’s data protection regime states (under Regulation 2016/679 Article 45) that personal data from the EU, Norway, Liechtenstein and Iceland can flow without further safeguards to any countries deemed by the EU to offer “an adequate level of data protection”. As it stands, the UK is deemed to be an ‘adequate’ country.
However, the more out of sync the UK’s data protection regime becomes with the EU’s, the higher the risk that the EU will withdraw the UK’s ‘adequate’ status. The DPDI impact assessment found that the free flow of data between the UK and Europe contributes hundreds of millions of pounds to the UK economy each year, and the loss of adequacy would put this revenue in extreme danger. With the full impact of the DPDI still unclear at this stage, the government must keep in mind the balance between this risk and the potential positives in slashing red tape.
If you have any questions on GDPR and how these changes could affect your business, please contact firstname.lastname@example.org or call 0207 388 1658 and a member of our trusted team can assist you.
Please note that the information contained in this article was correct at the time of writing. There may have been updates to the law since the article was written which may affect the information and advice given therein.