Now that the UK has left the EU, the government wants to create a new data regime, which will build on the retained EU version of the General Data Protection Regulation (EU) 2016/679 (UK GDPR) along with the Data Protection Act 2018. As the first step towards reforming the regime, the ‘Data: a new direction’ public consultation was launched by the Department for Digital, Culture, Media and Sport on 10 September 2021 and closed 19 November 2021.
Last time, we looked at Chapter 1 of the consultation – Reducing barriers to responsible information. In this article B P Collins’ corporate and commercial team summarises Chapter 2 – Reducing burdens on businesses and delivering better outcomes for people.
Privacy management programme
The government has proposed the implementation of a more flexible, risk-based accountability framework – a ‘privacy management programme’.
Whilst the government wants to ensure that those already compliant with UK GDPR will remain compliant under the new regime, it wants to promote more innovative approaches to data protection. The government comments that the current regime is a ‘box-ticking exercise’.
The Law Society strongly disagrees that the current regime leads to a box-ticking compliance regime and fails to see how a privacy management programme would be different to the current regime.
The ICO states that any new approach to data protection should not create more costs for those that have already invested time and resources to be compliant with UK GDPR.
Removal of certain compliance requirements
The government also proposes to remove some disproportionately burdensome compliance requirements of UK GDPR. The requirements that are proposed to be removed are:
- the need to designate a data protection officer (DPO);
- the need to undertake a data protection impact assessment (DPIA) but have different approaches to identify and minimise data protection risks;
- the requirement to consult with ICO for high-risk processing; and
- certain record keeping requirements.
The Law Society views DPOs as very important and effective at improving compliance with data protection. It advises its members to have a DPO even where it would not be compulsory under UK GDPR. The Law Society also views DPIAs as a way of helping businesses manage risk and as an essential tool for ICO enforcement. Furthermore, The Law Society disagrees with the proposal to remove certain record keeping requirements as they assist with upholding accountability.
Whilst it agrees that the requirement to have a DPO may be prescriptive, the ICO also highlights the experience and professionalism to data protection introduced by DPOs. Similarly, the ICO views DPIAs and record keeping requirements as potentially inflexible but states that DPIAs ‘have been invaluable for controllers to understand the breadth of data protection issues quickly and efficiently, while taking action to protect the public’.
Good record keeping helps to uphold privacy management but the requirements could be reduced for smaller organisations carrying out low risk processing. The ICO believes that there should still be a requirement to consult with them for high-risk processing as this is an important safeguard and assists with supporting organisations carrying out such processing.
Reporting data breaches
The government wants to reform breach reporting requirements by changing the threshold for reporting data breaches to the ICO and reporting breaches only if the risk to individuals is material. The Law Society does not believe that there should be a materiality threshold as they do not see an indication of over-reporting of breaches. However, the ICO supports the proposal and states that there has been an ‘over-reporting of low-risk incidents’ and welcomes greater clarity on when breaches should be reported.
Another proposal is to introduce a new ‘voluntary undertakings process’ where an organisation, that has demonstrated a proactive approach to accountability, can provide the ICO with a remedial plan. This remedial plan would be authorised by the ICO and no further action would be taken.
The ICO comments that any such voluntary undertaking process should only be an option where the organisation proactively raised the infringement. Moreover, any such process should not tie the ICO’s hands and it should still be able to take further action following the approval of a remedial plan.
The government wants to tackle the issue of permission for cookies on websites. Organisations need access to the data collected by cookies to improve their websites and services, but individuals complain that there are too many cookies on websites and many people accept them without reading the pop-ups on websites.
To deal with these issues, the government is exploring permitting organisations using cookies without the user’s consent at all. The government has also suggested browser-based solutions (where the user selects their cookie preferences via the browser rather than individual websites) or through the use of data fiduciaries.
The Law Society contends that the current issue with cookies is not due to the complexity of the law but organisations who try to take advantage of the law with exceptionally long cookie notices. The Law Society suggests that a specific model for cookies could be adopted instead.
Data Subject Access Requests (DSARs or SARs)
The government is also looking at amending the process for DSARs by introducing a fee regime for access to personal data held by data controllers and by reviewing the threshold to refuse DSARs.
The Law Society believes that such changes could affect access to justice and that the current operation of DSARs does not pose a problem.
For the ICO, DSARs form almost half of all complaints that they receive and so it is important that individuals can still access this important right if there are any changes to the current process.
Next time we will be summarising Chapter 3 – Boosting trade and reducing barriers to data flows.
To sign up to more complimentary legal articles from B P Collins, please email firstname.lastname@example.org.