Data reform in the UK
Since the UK left the EU and are now able to move away from the EU data protection regime, the UK government have implemented a national data strategy with the aim of reducing the burden on organisations but maintaining a high data protection standard.
Since the UK left the EU and are now able to move away from the EU data protection regime, the UK government have implemented a national data strategy with the aim of reducing the burden on organisations but maintaining a high data protection standard. The Government published a consultation in September last year asking for responses to their proposed changes to the current UK data protection regime (the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018 (DPA) and Privacy and Electronic Communications Regulations (PECR)), the outcome of which was published earlier this year. On 18 July 2022, the Data Protection and Digital Information Bill had its first reading in the House of Commons.
We consider some of the key proposed changes to the current UK data protection regime and recommend steps to take now to ensure compliance going forward below:
Privacy management programme framework
The government is proposing to remove key accountability requirements such as the requirement for an organisation to have a Data Protection Officer (DPO), to undertake Data Protection Impact Assessments and to maintain a Records of Processing Activities (RoPA) and replace it with a requirement for organisations to implement a more flexible and risk-based “privacy management programme” based on the level of processing activities and the volume and sensitivity of personal data they handle. Organisations will still be required to appoint a senior person to be responsible for data protection, however they will not be subject to the statutory obligations DPOs currently are. Organisations will be given more freedom to implement risk assessment tools and take a more flexible approach to record keeping.
For now, we recommend organisations look at the Information Commissioner’s Office’s (ICO) current accountability framework to determine their current compliance level. If an organisation is reasonably compliant under the current framework, it is most likely to be compliant under the new regime going forward.
Cookies and cookie consent
The government is proposing to remove the cookie consent requirements from Regulation 6 of PECR in respect of certain less privacy intrusive cookies, including analytics (the Bill refers to use of cookies ‘for statistical purposes’ to improve a service or website), and some functional cookies. The effect of the proposed changes is that those cookies would be treated in a similar way that ‘strictly necessary’ cookies are treated under the current regime. There are still restrictions on the use of those cookies in that the data must not be shared with any other party (e.g. Google) and that website users should be able to object to the use of their data. The proposed changes however will not impact on the consent requirements for more privacy intrusive cookies such as those which collect personal data for the purposes of real-time bidding and targeting advertisements/marketing, which will remain in place.
For now, we recommend organisations map the cookies used on their websites and make sure they have a good awareness of any privacy intrusive cookies used (such as those which track users across multiple websites, targeted advertising cookies and those used to build a profile about an individual), as they are likely to continue to need to get consent to drop those cookies going forward under the new regime.
Subject access requests (SARs)
SARs are often used by disgruntled individuals as a weapon against organisations, causing them to use lots of precious time and money in order to comply with the request for personal data. Under the current regime, an organisation can only refuse to comply with a SAR where the request can be deemed to be manifestly unfounded and/or excessive. The government propose to change this wording to bring it in line with the Freedom of Information Act wording i.e., where a request is vexatious and/or excessive. It is not clear as of yet what the practical impact of this change will be, however it is hoped that this will allow organisations to take a more practical approach when responding to SARs and refuse to respond when dealing with a vexatious individual where it would be disproportionate to do so.
For now, we recommend that organisations concentrate on making sure they have appropriate retention and deletion practices in place, to ensure there is only minimal data to deal with when complying with a SAR.
This is of course just a draft bill and may change as it goes through various stages in Parliament.
You may be interested in...
Press Release
Browne Jacobson appointed as legal adviser to Department for Transport Legal Advisers
Legal Update
Changes to the fixed recoverable costs regime
Legal Update
School leaders survey Spring 2024 - the results are in!
Legal Update
OFS Consultation on freedom of speech guidance
Press Release
‘Privacy by design’ approach will help health and care organisations gain public trust in using technology as ICO publishes new guidance
Legal Update - Procurement Act
PPN 01/24: Carbon reduction contract schedule
Legal Update
Understanding the ICO's new fining guidance
Legal Update
7 ways academy trusts can prepare for the new Corporate Transparency Act
Online Event
School complaints: handling problem parent behaviour
Press Release - Firm news
Three newly-qualified solicitors join Browne Jacobson’s education team
Press Release
Fixing local government standards regime would help us to do our jobs, say monitoring officers at Browne Jacobson and LGiU roundtable
Podcast - #EdInfluence
#EdInfluence podcast (series 3) - in conversation with inspiring leaders
Legal Update - Procurement Act
Landmark judgment in OCS Group UK Limited v Community Health Partnerships Limited
Opinion
Can teachers personal and political views amount to misconduct?
Legal Update
ICO consultation on accessing care records: A legal perspective
Legal Update
New leadership for our education team
Press Release - Firm news
Browne Jacobson announces Nick MacKenzie to succeed Mark Blois as head of Browne Jacobson’s education team
Legal Update
Government updates guidance on holiday rules: What employers need to know
Legal Update
Changes to academy conversion funding
Legal Update
Holiday pay: Government change clarifies treatment of term time only workers
Legal Update
All change at Companies House - Corporate Transparency Act
Online Event
Understanding the changing role of company secretary for academy trusts
Legal Update
Subsidy control guidance update - welcome guidance on “small subsidies” introduced
Legal Update
Cyber-attacks in UK universities: Why failing to prepare is no longer an option
Opinion
R (Willmott) v Eastbourne Council: High Court rules council can deny social housing to disabled ex-tenant over anti-social behaviour
Legal Update
Artificial intelligence – shaping a sustainable future
Opinion
School attendance matters
Published Article
Government's asset sale plan: Short-term fix or long-term disaster?
Legal Update - Public matters newsletter
Public matters - March 2024
Press Release
Spring Budget 2024: Browne Jacobson reaction
Legal Update
Not quite a blanket ban on mobile phones in schools: DfE guidance insights
Legal Update
Charity law update – March 2024
Opinion
Caregivers at work: Navigating new carer's leave regulations
On-Demand - Shared Insights
Shared Insights: Sexual safety in the workplace — how leaders can help to create a sexual safety culture
Legal Update
Updated guidance for collaborative learning delivery in higher education
Opinion
EHRC publishes new guidance on menopause and the workplace
Legal Update
Gatekeepers under the DMA – TikTok’s battle to have its designation revoked
Press Release
Browne Jacobson supports establishment of East Midlands Combined County Authority
Press Release
At the forefront of society’s biggest issues - a reflection of our public sector work throughout 2023
