Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now

×

InFocus

Data protection law to be reformed again

The UK government is seeking to reform the legal framework of data protection through the Data Protection and Digital Information Bill

The current state of UK law on data protection has been around for more than five years now. Put in place following the implementation of the EU’s General Data Protection Regulation (GDPR) and the resulting UK GDPR and Data Protection Act (DPA), the government is currently seeking to reform the legal framework through the Data Protection and Digital Information Bill (DPDI).

The bill is the culmination of a reform programme, which began with a public consultation in the autumn of 2021; it was first introduced in July 2022 but never got off the ground. With practices holding much private information on patients and staff, changing the law could affect their operation.

A new position

Kevin Modiri, a partner and solicitor at law firm Nelsons, says the original bill was postponed after former prime minister Liz Truss took office. However, he details that in October 2022, the government said it would revive the bill. Modiri comments that the bill is not a replacement for the GDPR but a refinement to allow greater certainty for individuals, along with a clarification of certain aspects of the existing framework.

Jeanette Burgess, head of regulatory and compliance at Walker Morris, sees the government seeking to capitalise on post-Brexit freedoms to change the current data protection regime. She says, “According to the new bill’s explanatory notes, some elements of the GDPR and DPA create barriers, uncertainty and unnecessary burdens for businesses and consumers.”

She adds: “In announcing the new bill, the government described it as a common-sense-led UK version of the EU’s GDPR. The intention is to update and simplify the UK’s data protection framework, reducing burdens on organisations while maintaining high data protection standards.”

Modiri agrees that the bill seeks to bring in a less burdensome and more flexible regime, which will become easier and inexpensive to implement. He believes the bill will prove a boon to small and medium-sized firms, help the UK economy to the tune of £4.7 billion and boost data protection standards so businesses can continue trading freely with global partners, including the EU.

Proposed changes

With the background set out, what is the bill proposing?

First off, Modiri states that the new DPDI bill has been described as largely the same as its predecessor but contains a number of provisions that are expected to simplify UK data laws. However, one change that is key to the reform is an update of the meaning of personal data, which now specifies what is meant by identifying an individual directly or indirectly and information relating to an identifiable living individual.

Then, there are changes to the definition of legitimate interests in the GDPR used as the legal basis for data processing. Modiri points out that there is a proposal to include some examples of processing that may be considered necessary for the purposes of a legitimate interest, such as for direct marketing, intra-group transmissions of data and processing to ensure the security of network and information systems.

Beyond that is a proposed new legal basis for processing for a recognised legitimate interest. The key difference between this and the current legitimate interest basis is that businesses relying on one of the recognised legitimate interests only need to ensure that their processing falls within one of the listed activities.

Businesses relying on one of the recognised legitimate interests only need to ensure that their processing falls within one of the listed activities

As Modiri commented, something else to consider is a clearer and more stable framework for international transfers with a risk-based approach to data transfers and changing the adequacy rules.  He says that this will allow businesses to have a simpler and clearer set of rules for international transfers.

All told, though, Burgess feels that the bill doesn’t profoundly change data protection law. It intends that organisations will still need to ensure that they only process personal data where they have a lawful basis to do so and that data protection principles are complied with. In fact, she believes that the changes presented by the bill could end up helping organisations decrease their costs in some situations. Specifically, she says that under the proposed new regime, the obligation to maintain data processing records will only apply to those that carry out high-risk processing activities.

The bill will replace a data protection officer with a senior responsible individual (SRI) in other areas. Burgess says organisations only need to appoint an SRI where they are a public authority or otherwise are engaged in high-risk processing. As the name implies, the SRI must be a senior person in the organisation but can carry out this role in addition to other functions. Interestingly, Modiri notes that there will be no requirement for that individual to have any particular data protection expertise. Rather, that individual can seek advice and outsource functions to organisations as they see fit.

To speed up certain business processes, the bill proposes a digital verification services trust framework with providers of digital verification services (DVS) being accredited and listed on a DVS register. Verification services are provided at an individual’s request, which involves ascertaining or verifying a fact about the individual from information provided by another source. The DVS will allow individuals to create a digital identity, such as age or address, to prove something about themselves.

The bill proposes a digital verification services trust framework with providers of digital verification services (DVS) being accredited and listed on a DVS register

There are also changes to rules around using artificial intelligence (AI). Burgess explains that under the current law, solely automated decisions (including profiling) that produce legal or similarly significant effects on data subjects may only be carried out where it is necessary for entering into or performing a contract between a controller and a data subject, it is required or authorised by law, or the data subject has given their explicit consent.

The bill updates the law so that AI decisions become more widely used.  Burgess warns that a significant decision based entirely or partly on special category data, which covers, for example, race, religion and sexual orientation, may not be taken based solely on automated processing unless certain conditions are met.

Another positive change is the relaxation of the law about web cookies, leading to fewer pop-up boxes appearing on websites. But quite possibly, one of the most significant issues for organisations is data subject access requests (DSARs) made by individuals seeking information about them.

The bill doesn’t alter the right to make a DSAR but offers some pushback for data controllers. Modiri says that there will be a proposed amendment to the exemption that businesses can use to charge a reasonable fee or refuse to respond to a vexatious or excessive request.

This change should mean less paperwork and lower costs. However, Burgess cautions, “it will be the data controller’s responsibility to prove that a request is vexatious or excessive. As the bill is currently drafted, there is anticipated to be debate on a case-by-case basis as to whether the threshold has been met.”

But the bill may increase costs

The bill’s main thrust is to simplify burdens, and it should achieve this in the main. However, those with relationships in the EU must comply with the EU’s GDPR. This is why Burgess says that it may be cheaper for them to continue to follow the current regime in the interests of consistency to the extent that is possible under the new bill. Adopting separate compliance programmes for their EU and UK operations will likely increase, rather than reduce, costs.

Modiri believes the same and says that those doing business solely in the UK, who do not have expansion plans to the EU, may find it easier to comply only with UK laws once the bill is finalised; any multinationals may choose to do the same in relation to their UK-only data processing activities which may reduce costs.

New sticks for enforcement

Obviously, for any legal change to be able to bite, it needs to be able to persuade potential wrong-doers of the consequences of their actions. Data protection and electronic marketing breaches under the Privacy and Electronic Communications Regulation (PECR) are treated differently.

For any legal change to be able to bite, it needs to be able to persuade potential wrong-doers of the consequences of their actions

The bill seeks to align the fines for nuisance calls and texts under PECR with those under the UK GDPR. That should change behaviours. Presently, breaching PECR can lead to criminal prosecution, non-criminal enforcement, audit and imposition of monetary penalties of up to £500,000. However, the bill increases fines for nuisance calls and texts to up to 4 percent of global turnover or £17.5 million, whichever is greater.

It follows that penalties without proper enforcement are a pointless exercise. However, Burgess is concerned about the effectiveness of increased penalties as a deterrent because that is contingent on the actual level of enforcement. That said, it’s reasonable to assume that the Information Commissioner Office (ICO) will take steps to enforce, albeit proportionately.

In conclusion

The bill hasn’t been passed yet, although at the time of writing, it has completed its passage through the House of Commons and is partway through the House of Lords. The changes don’t radically change the data protection landscape, but they seek to liberalise the law; organisations and businesses need to keep a watchful eye on what is coming their way.

Adam Bernstein

Adam Bernstein is a freelance writer and small business owner based in Oxfordshire. Adam writes on all matters of interest to small and medium-sized businesses.


More from this author

Have you heard about our
IVP Membership?

A wide range of veterinary CPD and resources by leading veterinary professionals.

Stress-free CPD tracking and certification, you’ll wonder how you coped without it.

Discover more