The Data Protection and Digital Information Bill is currently at the committee stage in the House of Lords. When it emerges into legislation, will it make a significant difference to how organisations comply with data protection requirements?
In his blog, Martin Brazier and Stuart Skelly, both Senior Consultants at URM, share their thoughts on how they believe it will diverge from the current UK General Data Protection Regulation, and speculate on the impact it may have on the UK data protection (DP) compliance landscape when it is passed into statute.
What was the original aim of the Bill?
Forming part of the National Data Strategy announced back in 2019 and first published by the Boris Johnson administration as long ago as July 2022, the Bill has had one of the most tortuous and protracted passages through parliament of any recent legislation, characterised by stops and starts, and at least one major reset (or what was described at the time as such – whether the ‘No. 2’ version of the Bill introduced in March 2023 actually changed very much is a matter of debate). In January of 2024, it took a step closer to the end of the legislative process by moving into the Committee Stage in the House of Lords, where the numerous amendments made to the Bill in the House of Commons will be examined in detail.
The stated aim of the legislation, outlined in the consultation document which started the process, was to reform the data protection (DP) regime to create a net monetary benefit of £1.04bn over ten years by unlocking innovation and research, cutting the cost of compliance for business and delivering benefits to UK trade.
The Bill makes changes to three pieces of existing legislation – the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018) and the Privacy and Electronic Communications Regulations 2003 (PECR). Reading the Bill in isolation, it is difficult to visualise the effect it will have on the current legislation, but there are ‘Keeling’ schedules available (in effect, redlined versions of the affected legislation) which show the proposed changes more clearly.
As its title suggests, the Bill is divided into two distinct parts. The first part deals with DP reform measures, while the second part contains the digital information provisions - such as setting up a framework for the supply of digital verification services in the UK, including a register of organisations providing digital verification services, a trust mark for use by registered organisations and an information gateway for the public.
Will it deliver the aims? Will it make life easier for organisations? Will it strengthen protection for the rights and freedoms of individuals? Are there any risks? Let’s start by looking at a few of the significant changes currently in the Bill.
What are the main changes?
Data Protection Officers (DPOs)
The role of the data protection officer (DPO), first enshrined in the EU GDPR and an integral part of UK legislation, is to be abolished and replaced by a ‘senior responsible individual’ (SRI). The appointment of an SRI will only be required where an organisation is a public body or conducting high risk processing. This may well remove the requirement for many businesses to have a specific individual, although given that DPOs are now established in many organisations’ DP strategies, this may just represent a change in title.
The definition of personal data
The Bill seeks to clarify terms which privacy professionals probably think are already clear enough. The definition of ‘personal data’ is amended- and some would argue restricted - to refer to ‘living individuals’, rather than ‘natural persons’, to explain what is meant by “identified” and “identifiable”, and to clarify the definition of pseudonymisation.
Technical and organisational measures
The Bill modifies the terminology in the UK GDPR by replacing the requirement to implement ‘appropriate technical and organisational measures’ (or TOMs) with ‘appropriate measures, including technical and organisational measures’ - so potentially broader than the EU GDPR. Guidelines will presumably be forthcoming from the Information Commissioner’s Office (ICO) as to what this change in wording means, such as specifying examples of appropriate measures which are currently unavailable to controllers because they are neither technical nor organisational.
Representatives
The Bill removes the requirement for controllers which have no presence in the UK, but which process the personal data of people who are within the UK, to have a UK representative in place.
The definition of scientific research
One of the key aims of the Bill is to enable more scientific research and innovation. It amends the definition of scientific research, widening and clarifying the scope to include processing for the purposes of ‘any research that can reasonably be described as scientific, whether publicly or privately funded’ and explains that scientific research purposes can include processing for commercial or non-commercial activity. This is similar to the definition in Recital 159 of the EU GDPR but the Government is confident this will facilitate greater research by giving commercial organisations similar freedoms to those enjoyed by academia.
Records of Processing Activities (RoPAs)
The Bill proposes that only controllers or processors that process data that ‘is likely to result in a high risk to the rights and freedoms of individuals’ will be required to maintain such records. Currently, all processing should be covered in a RoPA. This will result in fewer organisations creating or maintaining a comprehensive RoPA, which may be ‘counter productive’ in the long term as URM has found that a RoPA is a critical building block in achieving compliance and, therefore, needs to encompass all of an organisation’s processing, not just the high-risk activities. This is because the RoPA is, among other things, a data risk identification and management tool, and even ordinary, low risk-processing generates some duties (e.g., to provide a privacy notice), risks and liabilities which the processing organisation still needs to manage using the RoPA.
Data Protection Impact Assessments (DPIAs)
DPIAs will only become mandatory with high-risk processing, with the required content being a summary rather than systematic description of the purposes of processing and measures to mitigate risk. Again, URM believes the DPIA is a highly valuable risk control tool to assess a proposed new or amended form of processing and serves as a useful means to record the thought and decision-making processes. The obligation to seek, where appropriate, the views of data subjects on the proposed processing has been removed, as has the obligation to consult the ICO on high risks that the controller cannot mitigate by way of the DPIA, which is replaced by discretionary option to consult the ICO.
Processing activities with a ‘recognised legitimate interest’
The Bill sets out the types of processing activities which the Government has determined constitute a ‘recognised legitimate interest’, and which will therefore not require a controller to perform a legitimate interest test (LIT). The list in the proposed Annex 1 to the UK GDPR includes processing personal data for the purpose of detecting, investigating, or preventing crime, disclosures to people carrying out tasks in the public interest and of processing necessary for the purposes of democratic engagement, which will benefit political parties’ campaign efforts. While this list isn’t as radical as some may have hoped or feared, it is not fixed as the Bill provides for the Secretary of State to amend it through secondary legislation.
Purpose limitation
A proposed Annex 2 to the UK GDPR introduces a list of purposes which are deemed always compatible with the original purpose for which personal data was collected. These include disclosures to public authorities where the authority states it needs the data for a task in the public interest, disclosures for public security purposes, emergency response, safeguarding vulnerable individuals, protecting vital interests, preventing and detecting crime, assessing tax, and complying with legal obligations.
Automated decision making
Restrictions on automated decision making similar to those, currently, found in the UK GDPR are retained, but only where the decision will rely on processing special category data. Automated decisions not relying on special category data are now permitted, provided certain safeguards are put in place such as the ability for data subjects to make representations, contest the decision and require human intervention.
Subject Access Requests (SARs)
The original consultation document proposed some initiatives to reduce the burden for organisations responding to subject access requests (SARs). To deter frivolous requests, they included the re-introduction of a fee for SARs, which was in the 1998 Act and was removed by the GDPR. The consultation also proposed a cap on the amount of information to be provided under a SAR, similar to the ‘appropriate limit’ for Freedom of Information requests. Both proposals, however, have been removed, which will disappoint those public bodies which receive a huge number of requests covering large amounts of complex data requiring redaction. Instead, the Bill seeks to clarify when SARs can be refused. Currently, requests can be rejected where they are deemed by the receiving organisation to be ‘manifestly unfounded or excessive’. The ‘excessive’ ground for rejection is retained alongside a new ‘vexatious’ category which mirrors that found in the Freedom of Information Act. It is not clear how much difference there will be between ‘manifestly unfounded’ and ‘vexatious’ in practice, and it will depend on the guidance given by the ICO, which currently only supports such refusals in extreme cases.
The Information Commission
The Bill makes significant changes to the structure and governance of the ICO with the status of Information Commissioner as a ‘corporation sole’ being abolished and replaced by a body corporate called the Information Commission. Initially, all powers and obligations of the Commissioner will transfer to the Information Commission and the present incumbent will become the non-executive Chair of the Commission. This brings the structure in line with that of other UK regulatory bodies.
Simpler rules on cookies
Through a number of exemption provisions, the Bill proposes permitting the use of cookies for purposes that the Government considers to present a low risk to people’s privacy, and will allow the use of cookies without consent for ‘non-intrusive’ specific purposes, namely: first-party analytics; enabling website functionality; software security updates; or for emergency assistance. Again, the Secretary of State will have the power to add to that list. These purposes not requiring consent are similar to those set out in the proposed EU ePrivacy legislation. Also, the Bill will bring the enforcement powers for breaches of PECR into line with the UK GDPR which will allow the Commission to serve up larger fines for nuisance calls and spam, which have long been their main targets for enforcement.
The PECR ‘soft opt-in’ to marketing
The ‘soft opt-in’ in the PECR regime allows commercial organisations to send electronic marketing information to their existing customers - and those who have started the process of becoming customers - without requiring consent, provided that the marketing communication is offering similar goods and services to what the customer has purchased or enquired about before and there is a simple way to opt out, such as an ‘unsubscribe’ button on an email. The Bill widens this regime under PECR to political parties and non-commercial organisations.
International transfers
The Government’s view is that international data transfers drive commerce and support research and innovation, so one of the Bill’s aims was to make it easier to make international data transfers while still protecting personal data. Following Brexit, the UK basically adopted the EU’s list of ‘third countries’ outside the EU in which the DP laws were adequate to allow the data of people in the EU to be lawfully transferred to these countries without any additional protections (e.g. contractual clauses) being required, and the process for making those ‘adequacy decisions’. Under the new regime, the notion of a ‘data protection test’ is introduced in Article 45 of UK GDPR, by which the Secretary of State can make an adequacy decision if the standard of DP in a third country is ‘not materially lower’ than that provided under UK law, a bar which is arguably lower than the ‘essentially equivalent protection’ standard applied by the EU when gauging adequacy. The factors to be considered will be the respect for the rule of law, human rights, the existence and powers of a supervisory authority, onward transfer rules and the privacy culture of the recipient country importing the data.
So What Difference Does it Make?
The Bill is currently at Committee stage in the House of Lords and is likely to receive more scrutiny there than in the House of Commons. It passed through the Commons without much fanfare, not least due to the factors that have delayed it thus far – the COVID epidemic, changes of Prime Minister and new Secretaries of State. Moreover, the House of Lords is more likely to be alert to any adverse effects on the rights and freedoms of data subjects.
The Bill, when passed, will only affect the processing of UK people’s data - the UK parliament cannot alter the EU GDPR, which regulates the use of data of people in the EU. Many UK businesses process the data of EU people as well as UK people, and it may not be easy to segregate UK data within their systems, so any benefits for these organisations could be seriously limited. And for UK organisations which have already expended much time and effort over the last six years on establishing DP programmes which are EU GDPR compliant, retooling their privacy compliance frameworks to take advantage of the Bill’s slightly lighter regulatory requirements, for only part of their processing (that of the data of UK-based individuals), may well not make economic sense.
While the Bill removes some duties, it imposes others, such as the appointment in certain circumstances of an SRI who must be a member of senior management, not just reporting to the board as a DPO must do now, and having to provide data subjects with an internal mechanism for dealing with any complaints they have about how their data has been handled. As such, it might actually create a new net burden for most UK businesses.
So, it is difficult to see how this will cut the cost of compliance for organisations, and in the short term will probably increase it, as they seek to understand the implications of the reforms and what they need to do. Whether it will achieve the monetary benefit expected is uncertain, as is how that benefit can be measured.
The Government clearly sees this Bill as an opportunity to declare its intention to be at the vanguard of the data age, to be an exemplar of innovation and a country where scientific research is unencumbered by legislation. It also represents a statement of intent that legislation inherited from the EU can be amended following Brexit, and that the UK can use its third country status to provide a place where international organisations can do business away from what it believes are the restrictions of EU DP requirements.
But the Bill as it stands erodes rather than removes any rights and freedoms, and eases rather than revolutionises any compliance efforts by organisations. How much practical difference the changes will make remains to be seen and will be affected by how the new Information Commission interprets them and how willing it is to enforce them.
And then there is the small matter of the UK’s own adequacy decisions with the EU – there are currently two, one for transfers under the EU GDPR and the other under the Law Enforcement Directive. The European Commission will start work later this year to decide whether to extend the adequacy decisions for the UK for a further period up to a maximum of another four years. If the Commission doesn't extend the decisions, then they will expire on 27 June 2025. How will the EU view of the UK be affected by further divergence from a DP regime which started life as the EU model? If the UK loses its adequacy status, how will that affect the Government’s aims?
The modern DP legislative age started with a period of change in 2018 with the adoption of the GDPR and the Law Enforcement Directive, changed again as a result of Brexit and is set to change again should the Bill be passed into law. It has been difficult for organisations – some of which don’t have any depth of DP knowledge in-house – to be aware of how that change affects them and how to ensure they are compliant in a constantly evolving landscape. DP practitioners, on the other hand, are getting used to the sand shifting beneath their feet, and it looks like it will continue shifting for a while yet.
How URM can Help?
Regardless of how the DPDI Bill changes UK DP law when it eventually passes, GDPR compliance will continue to be relevant to almost every organisation. With a 19-year track record of providing data protection consultancy to assist organisations in achieving and maintaining compliance with DP legislation, URM is ideally positioned to help you understand and comply with this new law when it comes into force. Our large team of GDPR consultants can offer a range of services to help your organisation comply with the Regulation, always providing advice and guidance that is informed by the latest developments in DP legislation. We can conduct a gap analysis of your current processing practices against regulatory requirements and provide remediation support for any areas of noncompliance we identify, as well as offering more specific GDPR consultancy services such as assistance with DPIAs and DTIAs. URM’s consultants can also help you to produce a RoPA, and to process any data subject access requests (DSARs) you receive by offering a GDPR DSAR redaction service. For ongoing compliance support, URM offers a virtual DPO service, which provides you with access to a team of experienced DP practitioners, each with their own specialised area of DP consultancy.
If you would like to enhance your own understanding of DP and the GDPR, we regularly run a range of DP-related training courses. If you are looking to gain an industry-recognised qualification in DP, URM offers a BCS Foundation Certificate in Data Protection (CDP) course, aimed at leaving you with a strong understanding and practical interpretation of UK DP law, including the UK GDPR and DPA 2018. You can also attend our half-day courses on conducting DPIAs and DTIAs, and our 1-day ‘How to Manage DSARs’ training course, each of which will provide you with the skills necessary to undertake and manage these vital compliance activities when you return to your workplace.
URM can offer a host of consultancy services to improve your DP policies, privacy notices, DPIAs, ROPAs, privacy notices, data retention schedules and training programmes etc.
By attending URM’s online BCS Foundation Certificate in Data Protection course, you will gain valuable insights into the key aspects of current DP legislation including rights of data subjects and data controller obligations.
If uncertain, URM is able to conduct a high-level GDPR gap analysis which will assist you understand your current levels of compliance and identify gaps and vulnerabilities.
Let’s face it, there is nothing straightforward or simple about responding to a data subject access request (DSAR).
BS 10012 is a standard which has been developed to enable organisations to implement a personal information management system (PIMS).
In this blog, we will outline a step-by-step procedure on how you can create a ROPA.