“The United Kingdom’s Data Protection Regime will be reformed.”
Queen’s Speech – 10 May 2022

UK Data Protection Legislation faces major reforms in the coming months – what are the implications for the UK GDPR and PECR?

Introduction
Many of our courses, including those on data protection, GDPR and PECR, highlight within the “Breaking News” section, that Post Brexit changes are on their way. In June reported on over 28 new pieces of legislation through the current Parliament until 2022. The Data Protection Reform Bill is one of these changes and it gives the clearest indication to date on Government thinking in respect of data protection, GDPR and PECR.

In a nutshell the key messages are:

• The Government will take advantage of the benefits of Brexit to create a world class data rights regime that will allow them to create a new pro-growth and trusted UK data protection framework that reduces burdens on businesses, boosts the economy, helps scientists to innovate and improves the lives of people in the UK.

• Modernisation of the Information Commissioner’s Office (ICO), making sure it has the capabilities and powers to take stronger action against organisations who breach data rules while requiring it to be more accountable to Parliament and the public.

• Increasing industry participation in Smart Data Schemes, which will give citizens and small businesses more control of their data.

• Helping those who need health care treatments, by helping improve appropriate access to data in health and social care contexts.

• The reforms will create over £1 billion in business savings over ten years by reducing burdens on businesses of all sizes.

• A 2018 economic analysis by the Department for Digital, Culture, Media and Sport and Ctrl-Shift estimates that the productivity and competition benefits enabled by safe and efficient data flows would create a £27.8 billion uplift in the UK

Key changes to GDPR and PECR

GDPR

Accountability:

• The Government plans to proceed with the requirement for organisations to implement Privacy Management Programmes (PMPs) in all networks and offices.
• Organisations will have to implement a PMP based on the ‘level’ of processing they’re engaged in & the volume and sensitivity of personal data they handle.
• These requirements will be subject to the same sanctions as under current laws.

Data Protection Officers:

• The requirement to designate a Data Protection Officer (DPO) will be repealed when these reforms are implemented.
• There will be a new requirement to appoint a senior individual responsible for data protection. Most of the tasks of a DPO will become ‘the ultimate responsibility of a designated senior individual to oversee as part of the privacy management programme.’

Data Protection Impact Assessments: (DPIAs)

• Under the new PMP requirement, organisations will be required to identify and manage risks, but ‘they will be granted greater flexibility as to how to meet these requirements.
• There will no longer be requirements to undertake DPIAs as prescribed by the UK’s GDPR. However, organisations will be required to make sure they have ‘risk assessment tools in place for the identification, assessment and mitigation of data protection risks across the organisation.’
• Organisations will be able to continue using their DPIAs (if required) but can tailor them based on the nature of their processing activities.
• Existing DPIAs will remain a valid way of achieving the new requirements.

Record of Processing Activities:

• Personal data inventories will be needed as part of organisation’s PMP, covering what and where personal data is held, why it has been collected and how sensitive it is.
• Organisations will not have to stick to the prescribed requirements set out underArticle 30, UK GDPR.

Reporting of Data Breaches:

• No changes will be introduced to alter the threshold for reporting a data breach.
• The Government will work with the Information Commissioner (ICO) to explore the feasibility of clearer guidance for organisations.

Subject Access Requests:

• The Government plans to proceed with changing the current threshold for refusing or charging a fee for Subject Access Requests from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’. It is said this will bring it in line with the Freedom of Information regime.
• No re-introduction of a nominal fee for processing access requests.

PECR

Cookies:

• In the immediate term, the Government intends to permit cookies (and similar technologies) to be placed on a user’s device without explicit consent, ‘for a small number of other non-intrusive purposes. It’s anticipated this will include analytics cookies which allow organisations to measure traffic to webpages and improve offerings to users.
• It’s intended these changes will apply to connected technology, including apps on smartphones, tablets, smart TVs, or other connected devices, as well as websites.
• In the future, the Government intends to move to an ‘opt-out model of consent for cookies placed by websites. The Government says its ambition is to improve the user experience and remove the need for ‘unnecessary’ cookie consent banners. It stresses an opt-out model would not apply to websites likely to be accessed by children (we’re assuming this means consent would be required) and its ambitions will be subject to an assessment that effective solutions are widely available for use.

Use of ‘soft opt-in’ extended:

• The‘soft opt-in’ exemptionto consent (for email and SMS marketing) is set to be extended to charities and not-for-profits.

PECR fines to be increased:

• The Government plans to proceed with proposals to increase fines under PECR. This will allow the ICO to levy fines of up to £17.5m or 4% of a business’s global turnover. This would bring fines in line with current fines under the existing regime. Currently the maximum fine under PECR is capped at £500,000.

Political campaigning:

• The Government plans to consider whether the political communications should remain within the scope of PECR’s direct marketing rules (or be excluded).

• It also intends to extend the soft opt-in so that ‘political parties and elected representatives can contact individuals who have previously shown an interest in the activities of the party (for example, by attending a conference or donating) without their explicit consent, provided they have been given an opportunity to refuse such communications at the point of providing their details’.

Human oversight of automated decision-making and profiling:

• The Government notes that during the consultation on the reforms, a vast majority of the respondents opposed the proposal to removeArticle 22. The right to human review of automated decisions is considered a fundamental safeguard. It was also confirmed that this proposal will not be pursued.

• The Government says it will be considering how to amend Article 22 to clarify the circumstances in which, this must apply. It says it wants to align proposals in this area ‘with the broader approach to governing AI-powered automated decision-making’. This will form part of an upcoming white paper on AI governance.

Legitimate Interests:

• The Government intends to create a limited list of defined processing activities where there would not be a requirement to conduct a balancing test for legitimate interests. This list will initially be limited to ‘carefully defined processing activities.
• This is likely to include processing activities to prevent crime, reporting safeguarding concerns or those which are necessary for important public interests’ reasons.
• The Government proposes a new power to be able to update this list subject

Adequacy:

A key concern is whether the Government’s changes to data protection legislation will risk the EU’s adequacy decision for the UK. This allows for the free flow of data from the EU to the UK without the need for additional safeguards. Adequacy is not referenced in the Government response to the consultation.

Response from the ICO:

UK Commissioner, John Edwards stated that ‘he will support and share his ambitions for implementation of these reforms” In particular he says, “I am pleased to see the government has taken our concerns about independence on board. (in recent evidence given to the House of Commons Science and Technology Committee the independence of the ICO was cited by Mr Edwards as an area which could jeopardise adequacy)

What next?

We now have to await the detail of the Data Reform Bill, which will be subject to parliamentary scrutiny. So still a long way to go before the intended changes come into play. Our training courses will continue to capture the latest breaking news and clarification of the growing amount of jargon that builds around both GDPR and PECR and ensure participants maintain an accurate and up to date understanding of data protection.

Annual Data Protection Training

With nearly 10,000 breaches reported to the ICO each year there is no room for complacency. Whilst headline breaches often revolve round cyber security only 1 of the 2172 breaches reported to the ICO in in quarter 4 of 2021/22 related to brute force cyber-attack. The vast majority of breaches may have been avoided had management and staff paid more attention to the key principles of data protection, GDPR and PECR. Our one day courses heighten awareness and help keep data protection in everyone mind, it doing so they help organisations prevent breaches, fines and the adverse publicity that accompanies them.

Our courses include: –

1. The General Data Protection Regulations (GDPR)
2. Privacy Impact Assessments
3. Privacy and Electronic Communications Regulations (PECR)
4. Information Governance
5. Cyber Security (details on request)
6. Online Safety Bill (details on request)

Contact us today for more information

Header image: based on BREXIT by ChralJon used under CC BY 2.0 text “GDPR Post” added and top/bottom image removed