Prepare for change: UK Data Protection reforms are coming

After the much-trailed setup, via government pronouncements in February, the task force including data reform in May, we now have the 150 pages of detail of how the Government want to reform the UK data protection regime.

It’s business as usual for now – this is a consultation. Nothing is guaranteed.

And in many ways, the overall effect of the key changes can be summed up by the Who lyric: “Meet the new boss, same as the old boss!”

Different wording, same requirements? Summary of alterations

“Prescriptive” GDPR is out (despite it being flexible already)

“Flexible” UK GDPR in (but actually it looks fairly prescriptive)

Confused? That’s how the Governments proposals read when it comes to their plans to “reducing burdens on businesses and delivering better outcomes for people”

The overall tone from the Government makes sense: how an organisation manages data protection (and evidences its compliance) should not be about ‘box-ticking.’ It should not be a “one-size-fits-all approach.”

  • Your approach should be based on an assessment of the relative risk of your data processing activities – these risks are informed by the volume and sensitivity of the personal information under your control and the types of processing you carry out.
  • Your assessment of those risks should then drive and define the amount of resource you commit to managing data protection risk.

But this is precisely what the GDPR requires now:

  • The key “Responsibility of the Controller” outlined in Article 24 says you should take into “account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms” of people.

The issue has always been: how to deliver this and embed it into daily practice.

On the one hand, the Government proposal says that the GDPR prescribes a series of activities and controls that organisations must adopt in order to be considered compliant. And that this is burden, and they will remove some of these burdens. For example:

Record of Processing Activity (ROPA) out

  • ROPAs can certainly be a love-hate thing. In theory they can (and should) be a cornerstone of getting data protection right. Having a document that outlines why you process personal data; the legal basis; whose data you are processing and which data you process is critical to effective management of data.
  • Yet a ROPA can become a complex spreadsheet that all but the most committed will rarely never look at or care for.
  • Therefore it is unsurprising when the government highlights that that requirement to have a ROPA can involve the creation of large amounts of paperwork… and that the requirement to provide privacy information largely duplicates this (although one may argue the ROPA should simply inform the privacy information).
  • The government therefore proposes to remove record keeping requirements under Article 30.

Data Protection Officers (DPOs) out

  • DPOs have a quasi-regulatory function within an organisation; they should be independent, with any other functions not resulting in a conflict of interests in their roles a DPO. It can therefore be difficult for some organisation to recruit DPOs, or find suitable existing staff to take on the role.
  • The government therefore proposes to remove the existing requirements to designate a DPO; they may temper this by allowing public authorities to only appoint on the same basis as private companies (i.e. large-scale monitoring, or large scale handling of sensitive data) or limiting the DPOs role for some public authorities.

Data Protection Impact Assessments (DPIAs) out

  • The Government highlights that DPIAs can be an effectively identify, assess and minimise data protection risks. But that organisation may want to use other means to achieve these outcomes.
  • The government proposes to remove the requirement for organisations to undertake a DPIA.

Less breach reporting

  • At present, you have to report breaches unless you assess there’s likely to be no risk to an individual’s rights and freedoms. This has led even low risks being report to the ICO…and considerable over-report.
  • The government is therefore considering whether to change the threshold for reporting a data breach to the ICO so that organisations must report a breach unless the risk to individuals is not material.

And yet, on the other hand, the Government proposes introducing the following:

Privacy Management Programmes (PMP)

PMPs emerge as the central way the Government proposes organisations manage data protection risk.

Yet despite the talk of less burden and more freedom, the proposal seems to be prescriptive: a PMP is a “framework intended to help an organisation establish a robust and risk-based approach to data protection management, which is embraced and embedded throughout its activities. Privacy management programmes are based on a number of elements at the core of accountability, such as:

  1. leadership and oversight,
  2. risk assessment,
  3. policies and processes,
  4. transparency,
  5. training and awareness of staff, and
  6. monitoring, evaluation and improvement.”

The proposal then highlights that the “new, proposed accountability framework would require that organisations be accountable for personal information under their control.” It then lists a series of activities and paperwork they “must” either do or have in place.

  • These are what organisation should already have in place now!
  • The difference seems to be that the government will more strictly define what is expected.
  • This seems to contradict their stated goal of reducing burdens on businesses and being clear that one size fits nobody.

This can be seen with what the Government will required – essentially DPOs, ROPAs and DPIAs in all but name:

Responsible Individuals (aka like a DPO)

  • There is a proposed requirement to designate a suitable individual, or individuals, to be responsible for the Privacy Management Programme and for overseeing your data protection compliance.

Personal Data Inventories (aka like a ROPA)

  • ROPAs may be gone, but the government still expects you to
  • Comply with Articles 13 and 14 of the UK GDPR – “which still require much of the [previous ROPA] information to be recorded in privacy notices.”
  • Maintain Personal Data Inventories – which should “describe and explain what data is held, where it is held, why it has been collected and how sensitive it is” (just like a ROPA did).

Risk assessment tools (aka DPIAs)

  • DPIAs may be gone, but the government still expects you to
  • have in place risk management processes, including those which allow for the identification, assessment and mitigation of data protection risks across the organisation.

The Good

More clarity

There are proposals to transfer certain recitals from the GDPR – which provide clarity on how to interpret certain provisions – into legislation itself.

There will be

  1. a clearer definition of scientific research;
  2. a definition of ‘substantial public interest’ or additions to the specific situations in the Data Protection Act that are deemed to always be in the substantial public interest;
  3. clarity on when you can re-use data when it safeguards an important public interest;
  4. a list of legitimate interests for which you can use personal data without doing a balancing exercise (i.e. without needing to do a Legitimate Interests Assessment). The GDPR already has some – the Government wants to extent this. There is some risk here – see below;
  5. clarity on when data will be regarded as anonymous; and
  6. clarity that private companies, organisations and individuals who have been asked to process personal data on behalf of a public body may rely on that body’s lawful ground for processing the data under Article 6(1)(e) and need not identify a separate lawful ground.

Wider use of the soft opt-in

Charities have often complained that they cannot rely on the soft opt-in provisions (aka being able to use email address to promote similar goods or services when they’ve obtained the email address during the course of a sale) of the Privacy Regulations.

  • The Government is proposing to extend the soft opt-in to electronic communications from organisations other than businesses where the person has previously formed a relationship with the person.
  • This could mean that where someone has signed up to a charity event, you could send them marketing about future events without having to obtain their consent.
  • Note: the government may also extent this to communications from political parties!

Easier transfers of data back to outside the UK (if it originally came from there)

When personal data that originated overseas is transferred to the UK it falls under the scope of the UK GDPR. If you then want to transfer that data back to the sender (a ‘reverse transfers’) you need to work out how to do this compliantly.

  • The Government proposal is to make this easier: transfers that have been received by an organisation in the UK and are being sent back to the original transferor exempt from the international transfer regime.

 The Risker

Charges for Subject Access Requests (SARs)

We all know that handling SARs can be a drain on resources. They can take time and effort. On the face of it, the Government’s proposals to introduce a fee regime may seem like mana from heaven.

This would put a limit on the number of hours you would be required to allocate to handling a request, and a limit on the tasks that could be included in this cost calculation.

The government is also looking to amend the threshold for responding. They propose that the test for whether a request is vexatious, and so can be refused, would be whether the request is likely to ’cause a disproportionate or unjustifiable level of distress, disruption or irritation’” and so you can refuse to handle a request where “access to personal data or concerns about its processing are not the purpose of the request.”

It is a risk because

  • You could end up spending a lot of time and effort working out how to apply the fee regime, and handling complaints about how you’ve decided on the hours and costs.
  • The government highlights that you would still be obliged to deal with a request to the extent possible within the cost limit – for example, by suggesting to the individual the information you can search for, retrieve or extract within the cost limit. The cost limit would not function as a ground on which to refuse outright to deal with a request.
  • Any decision to say you have reached the cost limit (and will search no more) will shine a light on the underlying issue: your record keeping. You are essentially saying to the requester that you’ve been unable to locate, retrieve and review all their personal data within the 18 hours you’ve been allocated. This may invite further questions about whether you operate as effectively and efficiently as possible.
  • A decision to label a request as vexatious can shine a light on what is often the route cause of the SAR – for example, a complaint, concern or a disagreement over a decision. Being perceived as unwilling or unable to provide personal data to someone in relation to such matters may only add to (rather than resolve) these wider issues.

Cookies and legitimate interests

At present, you can only place a cookie on someone’s device without their consent if it’s strictly necessary – e.g. it is essential to make a website work properly.

Cookies that enable analytics and tracking currently require consent. And this has led to endless pop-ups…that most people ignore or do not really understand (and so this undermines the idea that they have given genuinely informed consent).

The government offers two possible solutions (and is in a “seeking evidence” mode, rather than having arrived at a final view):

  1. Permit organisations to use analytics cookies and similar technologies without the user’s consent – i.e. consider analytics cookies as necessary.

Note: the EU is already proposing this in their update of the Privacy Regulations.

  1. Permit organisations to store information on, or collect information from, a user’s device without their consent for other limited purposes. This could include processing that is necessary for the legitimate interests of the Data Controllers where the impact on the privacy of the individual is likely to be minimal

The government recognises that these options will not entirely remove consent pop-ups, but there will be less, meaning that people can (in theory at least) direct more of their time and attention to making important decisions about the use of cookies and other technology that may have a material effect on their privacy (such as tracking).

The risk is what an organisation considers as “necessary” for its “legitimate interests” – this could potentially be open to considerable interpretation…widening considerable the type of cookies being placed on devices without people knowing or being asked to agree.

Legitimate Interests

The risks with an expanded list of legitimate interests, especially one that includes processing personal data for “internal research and development purposes, or business innovation purposes aimed at improving services for customers” is that, like the idea of having “necessary analytics cookies” it is potentially open to a wide interpretation by business…meaning that more personal data will be processed without an assessment of the impact on people’s rights and freedoms.

AI and Machine Learning

The Government is looking at making it easier for organisations to use AI and permit certain automated decision making without human oversight. They recognise this will require more data in order to train and test AI responsibly.

Again, on the face of it this could be an improvement – but there is risk if organisations perceive the any change in the law as a simply green light to deploy AI, or to consider their actions as “training and testing” when in fact they produce material impact on people, affecting their privacy and rights.

 In summary

If you are already doing data protection well then you will be largely unaffected by the majority of the proposals.

If you are currently unsure how to do data protection – e.g. because the law doesn’t tell you want to do – then giving you even more freedom will be unlikely to help:

  • Indeed, the Government itself recognises that the “introduction of Privacy Management Programmes may create additional burdens for organisations arising from increased discretion as to how to deliver compliance within the new accountability framework.”

And if you think data protection as a simple “tick-box” exercise, a compliance burden, or simply not important – then these changes will not shift your mentality or approach.

  • Here, the government says something rather interesting: they highlight that the new requirement to implement Privacy Management Programmes will be made on “all organisations” – which may mean many more organisations have to take data protection more seriously.