Here’s what you need to know about the UK’s plans to radically alter GDPR
The UK government’s consultation on reforming data protection, launched on 9 September, sets out a radically different framework for data protection than GDPR. From re-orientating the Information Commissioner’s Office to new ways for businesses to process data, these far-reaching reforms are set to have a significant impact on business.
Although the plans have been announced in consultation and not every proposal may make it into law, the direction of travel has been clear for some time. The UK plans to make it much easier for most businesses to use data, and get the most from data, while still ensuring strong levels of protection.
“The government wants to remove unnecessary barriers to responsible data use. A small hairdressing business should not have the same data protection processes as a multimillion-pound tech firm. Our reforms would move away from the “one-size-fits-all” approach and allow organisations to demonstrate compliance in ways more appropriate to their circumstances, while still protecting citizens’ personal data to a high standard.” Department for Culture, Media and Sport
While these proposals aren’t finalised, the driving force behind the reforms is to enable new ways for businesses to use data. This could generate significant opportunities for UK firms, as well as reduced regulatory burdens. Similarly, with the implementation of GDPR in 2018, businesses who prepared early were able to make the most from the opportunities the changes presented.
Here are the key areas of GDPR the UK government is planning to amend, alongside the relevant sections from the consultation document.
New lawful basis for research (S. 44-48)
Currently, personal data can be used for scientific research purposes, which can include technological development, applied research and privately funded research conducted in the public interest for public health. However, this is not a statutory definition and can leave organisations conducting research wondering which lawful basis is best. The government proposes to incorporate a clearer definition of scientific research into law, as well as creating a new, separate lawful basis for using data for research.
When it’s not possible to fully identify the purpose of the personal data at the time of collection, the government proposes to enshrine in law that the further use of data for research purposes is always compatible with the original purpose and is lawful.
New condition for processing sensitive personal data for AI (S. 91)
The government is planning to enable more use of AI and automated decision making. To extend more safeguards for bias monitoring, detection and correction, the proposals would create a new condition for the processing of sensitive personal data for these purposes.
New ways to use legitimate interest (S. 60-61)
Currently, the use of the legitimate interest basis for processing data requires a balancing test, weighing up the rights of data subjects against the interests of the business. The government proposes to create a list of legitimate interests for which organisations can use personal data without having to undertake a balancing test.
The suggested list includes:
- Using personal data for internal research and development purposes, or business innovation purposes aimed at improving services for customers
- Using audience measurement cookies or similar technologies to improve web pages that are frequently visited by service users
- Improving or reviewing an organisation’s system or network security
- Improving the safety of a product or service that the organisation provides or delivers
This is a wide-ranging change which would mean that data processed under the legitimate interest condition could be used for internal research or new kinds of activity within the company aimed at providing a better customer experience. This could allow data collected for one purpose to be re-used in different parts of the business, such as a marketing department reviewing existing customer data in order to design a better onboarding process for new clients.
Fees for subject access requests (S. 188-189)
Prior to GDPR, the 1998 Data Protection Act set a nominal fee of £10 to access personal data, which was removed by GDPR. The government is planning to introduce a fee regime similar to that in the Freedom of Information (FOI) Act 2000 which applies to public bodies. Under FOI rules, there is an internal cost limit of around £600 beyond which organisations can either refuse the request or charge a fee for responding.
While these proposals don’t yet specify if a fee can be charged for every request or how much, organisations may be expected to respond to requests up to a cost limit. There may also be extensions to what kind of subject access requests can be deemed vexatious, allowing organisations to refuse based on concerns that access to personal data is not the purpose of the request.
Extend the soft-opt in option for electronic communications (S. 210)
Currently, soft-opt in for electronic communication for direct marketing can be used by businesses who have previously been in touch with an organisation during a sale or transaction, as long as the person has not refused or opted out. This can only be used by commercial organisations, but the proposals would extend this to non-commercial organisations, such as charities and political parties. They will be able to use soft-opt in to send electronic communications to people they have previously formed a relationship with. But organisations must provide a chance to opt out when they first collect the person’s contact details and on every subsequent communication they send.
Increasing fines for PECR breaches to GDPR levels (S. 216-218)
Currently, PECR breaches can result in a monetary penalty notice of up to £500,000 per breach, which can be issued against the organisation or its directors. The proposals would allow for GDPR level penalties, of up to £17.5 million or 4% of global turnover, for PECR breaches.
Assessing more countries as having an adequate data protection regime (S. 237)
The UK currently treats EEA states, Switzerland, Gibraltar and the 12 countries assessed as adequate by the EU, as adequate for the UK. The UK is planning to assess more countries as adequate, which would allow greater flow of data between the UK and the rest of the world. The government is considering how to give adequacy to groups of countries, regions and multilateral frameworks, such as those signed up to a particular trading bloc.
Reform of the ICO (S. 321-322)
As expected, the government is keen for the ICO to be more closely aligned with the National Data Strategy, seeing the body as less an independent regulator and more of an arm of government better able to advise businesses alongside government priorities. The consultation proposes enabling government to set the strategic direction of the ICO, and for the government to write strategic priorities for the ICO for how it regulates data protection. This is similar to how other regulators like Ofcom, Ofwat and Ofgem work. This would mean the ICO’s regulatory powers would be more in line with government priorities, which are focused on removing the barriers to responsible use of data by business.
Easier use of automated decision making (S. 101)
The government plans to remove Article 22 of GDPR, which prevents automated individual decision making and profiling which produces legal effects or similarly significant decisions. This would permit solely automated decision making which could have a legal or significant effect, such as loans or mortgage approvals. This could make it easier for businesses to automate more processes and introduce machine learning and AI to provide more efficient outcomes, without the need for human review.
Dropping cookie pop-ups (S. 206)
Alternatives to cookie pop-ups on websites, such as removing the need for consent for all types of cookies, are being planned. The government wants to enable businesses to remove these pop-ups from their website, whilst still ensuring that cookie preferences are used in a way that is lawful, fair and transparent. This would make it easier for adtech companies for example to track users and deliver more tailored messaging.
Amending accountability requirements (S. 145-147)
Currently, organisations must satisfy a number of prescriptive requirements to demonstrate GDPR compliance, regardless of their size or processing activities. This is expected to be amended and replaced with a more flexible and risk-based accountability framework. Organisations would be expected to implement a privacy management programme tailored to their own processing activities. This would also remove the specific compliance requirements within UK GDPR.
Removing the need to appoint a data protection officer (S. 163)
The requirement to appoint a DPO will be removed. Instead, the government will expect a suitable individual to be designated to oversee the organisation’s data protection compliance and be responsible for the privacy management programme. This would also take into account the size and nature of the organisation, and how much personal data it processes.
Removing the need to undertake a DPIA (S. 167)
Data protection impact assessments were a significant piece of GDPR compliance, requiring an in-depth assessment to be done prior to new processing activities. This is to be removed and organisations will instead be able to adopt different approaches to identifying and minimising data protection risks. This is likely to be particularly relevant to smaller companies or those who process less data.
Removing the need for prior consultation with the ICO (S. 170-173)
Currently, when high-risk processing activities have been identified and cannot be mitigated, the organisation must consult the ICO before processing and may face penalties of up to 2% of global turnover if they don’t. This is to be removed and it will no longer be mandatory for prior consultation with the ICO, nor will organisations face any penalties for not doing so.
Removing record-keeping requirements (S. 174-177)
Under Article 30 of GDPR, most organisations are required to maintain at all times a record of processing activities, including categories of data, categories of data subjects, to whom data is shared, including third countries, how long data will be kept for and what security measures are in place to protect it. This is to be removed. The new requirements to have a privacy management programme would still mandate a certain amount of record-keeping, but organisations would have more flexibility to do so in a way that reflects the volume and sensitivity of the data they process.
Changes to breach reporting (S. 178-180)
Currently, breaches must be reported to the ICO unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. However, this reporting exemption can only be relied upon when there is likely to be no risk, so low risk breaches are always reportable. This threshold is to be changed so that a breach which does not pose a material risk to individuals will not have to be reported. The ICO would be directed to produce guidance on what constitutes a material and non-material risk, but a material risk is likely to mean a breach which could significantly impact the individual.
Removal of the right for individuals to directly complain to the ICO (S. 384)
The proposals include a new requirement for a complainant to attempt to resolve their issue directly with the data controller before lodging a complaint with the ICO. This would be coupled with a requirement for data controllers to have a simple and transparent complaints handling process in place, which would form part of the controller’s privacy management programme. The ICO may also be given more power to decide not to investigate certain complaints.