A new piece of legislation, the Data Protection and Digital Information Bill, is pending and may introduce significant changes to the UK’s data protection framework, including the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003.
As businesses increasingly rely on personal data for various purposes, it is crucial for them to stay informed about changes in data protection laws. The proposed bill impacts how organisations can process and use personal data.
Introduced by Michelle Donelan, Secretary of State for Science, Innovation, and Technology, the bill is awaiting approval and may be delayed as a result of the recent election announcement.
In this article, we have discussed some of the key changes that businesses should be aware of, including updates on personal data processing, legitimate interests, automated decision-making, records of processing activities, and subject access requests. By understanding these changes, businesses can ensure compliance with new regulations and avoid potential penalties or fines.
Purpose of the Bill
To replace EU-derived data protection laws with a new UK regime, with the aim to establish the Information Commission. This commission will oversee the regulation of digital verification services and introduce enhanced measures for privacy and data protection. By doing so, it seeks to create a robust framework that ensures the security and privacy of personal data while fostering innovation and trust in digital services.
The following are included in the previous version of the bill:
Amended Definition of 'Personal Data'
The Data Protection and Digital Information Bill proposes to amend the definition of “personal data” in the UK GDPR.
The key change introduces a “reasonable means” test to determine if an individual is identifiable. An “identifiable” individual is someone who can be directly or indirectly identified, for example by name, ID number, location data, online identifiers, or other factors like physical, cultural, economic characteristics. The information has to actually relate or be about that specific individual in some way. Just mentioning their name is not enough.
Specifically, information will only be considered “personal data” if the individual is identified or identifiable by the controller, processor, or any other person involved in the processing, taking into account:
- All reasonable means likely to be used
- The time, effort, cost and available technology at the time of processing
This differs from the current definition, which considers if the individual is identifiable to anyone, regardless of the means reasonably likely to be used by the controller or others involved.
So in essence, the amended definition restricts identifiability to the specific parties involved (controller, processor, known recipients), rather than hypothetically anyone in the world being able to identify the individual from the information.
This amendment aims to strike a balance between protecting individual’s privacy and providing clarity for businesses on what constitutes personal data, especially in the context of rapidly evolving technology.
Vexatious Data Subject Requests
The terms ‘manifestly unfounded or excessive’ requests, as outlined in Article 12 of the UK GDPR, will be replaced with ‘vexatious or excessive’ requests. This change aims to provide clearer guidelines for organisations in handling data subject requests that are deemed unreasonable or overly burdensome, ensuring better protection against potential misuse of the request process, compared to the current higher bar of the request being “manifestly unfounded.
Critics argue this could weaken individuals’ ability to exercise their data rights, as organisations may have more leeway to reject subject access and other data requests on “vexatious” grounds.
However, the government likely views this as reducing the burden on organisations from dealing with intentionally disruptive requests.
Explanations and examples of such requests will also be included:
Data Subject Complaints
Data controllers will be required to acknowledge receipt of data subject complaints within 30 days and respond substantively ‘without undue delay’.
Currently there is no set time frame for controllers to acknowledge or respond to complaints under the UK GDPR so this means that there would be a new legal obligation for organisations (data controllers) to not only confirm they have received the complaint, but also provide a meaningful response as soon as reasonably possible. This ensures that data subjects’ concerns are addressed promptly and effectively, fostering trust and accountability in data handling practices.
The Information Commissioner’s Office (ICO) could also refuse to consider a complaint made directly to them by an individual, if that person has not first raised the complaint with the organisation (controller) handling their data.
Data Protection Officer
The obligation for some controllers and processors to appoint a data protection officer will be removed. This change aims to reduce the administrative burden on smaller organisations and those with low-risk data processing activities.
However, public bodies and those who carry out processing likely to result in a ‘high risk’ to individuals will be required to designate a senior manager as a ‘senior responsible individual.’ This individual must be part of the organisation’s senior management team and will be responsible for overseeing data protection compliance and ensuring that data privacy measures are robust and effective.
This ensures that high-risk processing activities are still closely monitored and managed at a senior level.
Data Protection Impact Assessments
These will be replaced by leaner and less prescriptive ‘assessments of high-risk processing,’ which aim to streamline the evaluation process while ensuring that significant risks to data security are thoroughly identified and mitigated.
This new approach is designed to be more efficient and adaptable to various high-risk scenarios.
International Data Transfers and Assessment
There will be a new approach to assess the adequacy of data protection in other countries and international organisations and when data controllers are carrying out a transfer impact assessment (TIA – a risk assessment that organisations must conduct when transferring personal data from the European Economic Area (EEA) to a third country that does not have an adequate level of data protection as determined by the European Commission.)
The new “data protection test” will evaluate whether a jurisdiction offers comparable levels of protection as the UK GDPR, with a more flexible threshold of “not materially lower.”
While this may make it easier for businesses to secure data transfer agreements, critics express concerns about potentially weaker protections in countries with lower data protection standards than the UK GDPR.
This aligns with the overall aim of the Bill to move away from the EU’s “one-size-fits-all” GDPR approach and provide more flexibility, albeit at the potential cost of reduced data protection rights according to some observers.
The Information Commission to 'Information Commission
The Data Protection and Digital Information Bill aims to transform the Information Commissioner’s Office (ICO) into a new statutory body called the “Information Commission”.
- The Information Commission will replace the ICO as the UK’s data protection regulator
- Instead of being led by an individual Information Commissioner, the Information Commission will be a corporate body with a Chief Executive
- This shifts from the current single office holder model to a corporate structure with a board and chief executive
The government argues this new model will strengthen governance and accountability. However, critics worry that the restructuring could undermine the data protection authority’s independence and make it more vulnerable to government influence.
Cookie Regulations
Cookies play a crucial role in enabling websites to function effectively and providing a personalised browsing experience. However, with increasing concerns over data privacy, regulations have been put in place to protect user information from being collected and used without their consent.
Under the new proposed bill, consent will no longer be required for cookies used for web analytics and automatic software updates. This streamlines the process for obtaining valuable data insights and ensures that software remains up-to-date seamlessly.
However, consent will still be required for using third-party tracking cookies, such as those from social media platforms like Facebook or LinkedIn, but non-commercial organisations (e.g., charities and political parties) can use the ‘soft opt-in’ for direct marketing if they have obtained contact details from an interested individual.
The bill also introduces stricter penalties for non-compliance to ensure that organisations adhere to cookie regulations and protect user privacy,with an increase to the fines from the current maximum of £500,000 to UK GDPR levels – that is, up to £17.5m or 4% of global annual turnover (whichever is higher).
Furthermore, it grants the Secretary of State power to add new exceptions to the cookie consent requirements after consulting with the Information Commissioner. This allows for flexibility and adaptation to changing technology and consumer preferences.
Main changes from the previous bill are summarised below:
Scientific research
The Data Protection and Digital Information Bill proposes to expand the definition and scope of “scientific research” under the UK GDPR in the following ways:
- It clarifies that the research provisions cover both privately funded and publicly funded research projects in the public interest
- It includes an illustrative (non-exhaustive) list of activities that constitute “scientific research”, which explicitly includes technological development and research done for commercial purposes
This expanded definition means more commercial and private sector research and development activities could potentially rely on the research purposes legal basis and exemptions from certain UK GDPR requirements like the need for consent.
However there are some concerns that this broader commercial research exemption, without sufficient safeguards, could enable personal data to be re-used for activities that individuals did not consent to or expect .
Legitimate Interests
Legitimate interests provide a flexible basis for processing personal data in a way that individuals might reasonably expect within a particular context, as long as the organisation’s legitimate reasons are not outweighed by adverse impacts on the individual’s rights and interests.
The previous bill proposed that businesses could rely on legitimate interests (Article 6, lawful basis) without the requirement to conduct a balancing test against the rights and freedoms of data subjects where those legitimate interests are ‘recognised’. These ‘recognised’ legitimate interests cover purposes for processing such as national security, public security, defence, emergencies, preventing crime, safeguarding, and democratic engagement.
The new bill, while maintaining the aforementioned changes, introduces a non-exhaustive list of additional cases where organisations may rely on the ‘legitimate interests’ legal basis. This list includes purposes such as direct marketing, transferring data within the organisation for administrative purposes, and ensuring the security of network and information systems.
However, it is important to note that in these new cases, a balancing exercise still needs to be conducted. This means that organisations must weigh their interests against the potential impact on the rights and freedoms of data subjects.
Automated Decision Making
The concept of automated decision-making has seen significant evolution in recent legislative proposals, particularly with respect to Article 22 of the UK GDPR. The previous bill aimed to apply restrictions only to decisions predominantly driven by automated processing and without ‘meaningful human involvement’.
The newly proposed bill brings about sweeping changes. It plans to amend Article 22 itself and restrict its application solely to automated processing involving special category data, also known as sensitive information. This includes racial or ethnic data, political stances, health-related data, etc.
Article 22’s restrictions would apply only when:
- There is solely automated processing, including profiling, of special category data that produces legal or similarly significant effects.
For non-sensitive personal data, the restrictions around solely automated decision-making and profiling would no longer apply under the amendments.
This aligns with the stated goal of reducing regulatory burdens compared to the current UK GDPR inherited from the EU.
Records of Processing Activities (ROPAs)
Records of Processing Activities (ROPAs) are essential under the GDPR and UK GDPR. They document an organisation’s personal data processing activities, including purposes, data categories, recipients, transfers, retention periods, and security measures.
Article 30 mandates maintaining ROPAs, with some exceptions for small organisations. They ensure accountability, help comply with GDPR principles, and must be accurate and up-to-date.
ROPAs should be accessible to supervisory authorities upon request.
Under the new bill, only controllers and processors engaged in high-risk processing activities are required to maintain an ROPA.
This change aims to reduce the burden on small organisations that do not process personal data on a large scale or engage in high-risk processing.
Subject Access Request (SAR)
A subject access request (SAR), also known as a data subject access request (DSAR), is a legal right that individuals have under data protection laws like the UK GDPR to request access to the personal data that an organisation holds about them.
However, Clause 12 of the Data Protection and Digital Information Bill proposes an amendment to Article 12 of the UK GDPR that would change how organisations must respond to SARs.
The proposed amendment states that data controllers are only required to conduct “reasonable and proportionate” searches for requested information, rather than exhaustive searches as currently mandated.
While this change may reduce administrative burden, it also raises concerns about potential limitations on individuals’ data rights. So, it is crucial for both individuals and organisations to stay informed about these developments in order to ensure proper compliance with data protection laws.
Conclusion
While the Data Protection and Digital Information Bill aims to bring about positive changes in data protection laws in the UK, it is also important for organisations to actively work towards building a data privacy culture within their operations.
This can involve conducting regular employee training on data protection and privacy, implementing strong security measures to protect personal data, and ensuring adherence to the data protection principles when data is collected, processed, and used.
If you need help navigating the changes that may be brought by the Data Protection and Digital Information Bill, consider seeking professional guidance from legal or data protection experts like Proelium Law.
With proper understanding and implementation of these new regulations, organisations can confidently continue to use personal data for legitimate purposes while ensuring that individuals’ privacy rights are respected and protected.
