Government Consultation: Are you ready for UK GDPR 2.0?

On 10 September 2021, the UK Government launched a consultation entitled “Data: A new direction” intended “to create an ambitious, pro-growth and innovation-friendly data protection regime that underpins the trustworthy use of data.” Cynics will say that it is an attempt to water down the UK GDPR just a few months after the UK received adequacy status from the European Union. 

Back in May, the Prime Ministerial Taskforce on Innovation, Growth, and Regulatory Reform (TIGRR) published a 130-page report setting out a “new regulatory framework for the UK. Saying that the current data protection regime contained too many onerous compliance requirements, it suggested that the government: 

“Replace the UK GDPR with a new, more proportionate, UK Framework of Citizen Data Rights to give people greater control of their data while allowing data to flow more freely and drive growth across healthcare, public services and the digital economy.” 

Many of the recommendations made in the TIGRR Report can be found in the latest consultation document:

Research and Re Use of Data

  • Consolidating and bringing together research-specific provisions in the UK GDPR, “bringing greater clarity to the range of relevant provisions and how they relate to each other.” 
  • Incorporating a clearer definition of “scientific research” into the legislation. 
  • Clarifying in legislation how university research projects can rely on tasks in the public interest (Article 6(1)(e) of the UK GDPR) as a lawful ground for personal data processing. 
  • Creating a new, separate lawful ground for research, subject to suitable safeguards. 
  • Clarifying in legislation that data subjects should be allowed to give their consent to broader areas of scientific research when it is not possible to fully identify the purpose of personal data processing at the time of data collection.
  • Stating explicitly that the further use of data for research purposes is both always compatible with the original purpose and lawful under Article 6(1) of the UK GDPR. 
  • Replicating the Article 14(5)(b) exemption (disproportionate effort) in Article 13 (privacy notice), limited only to controllers processing personal data for research purposes.
  • Amending the law to facilitate innovative re-use of data for different purposes and by different data controllers.
  • Creating a limited, exhaustive list of legitimate interests for which organisations can use personal data without applying the balancing test “in order to give them more confidence to process personal data without unnecessary recourse to consent.” 

AI, Machine Learning and Automated Decision Making

  • Stipulating that processing personal data for the purposes of ensuring bias monitoring, detection and correction in relation to AI systems constitutes a legitimate interest in the terms of Article 6(1)(f) for which the balancing test is not required. 
  • Enabling organisations to use personal data and sensitive personal data for the purpose of managing the risk of bias in their AI systems by amending/clarifying the legitimate interests ground under Art 6 and clarifying/amending schedule 1 of the DPA 2018 (Special Category Data Processing).
  • Removing Article 22 of UK GDPR (the right not to be subject to a decision resulting from solely automated processing if that decision has significant effects on the individual) and permitting solely automated decision making subject to compliance with the rest of the data protection legislation. 

Accountability

  • Allowing data controllers to implementing a more flexible and risk-based accountability framework, which is based on privacy management programmes, that reflects the volume and sensitivity of the personal information they handle, and the type(s) of data processing they carry out. 
  • To support the implementation of the new accountability framework the government intends to remove the requirement to:
    • Consult the ICO in relation to high-risk personal data processing that cannot be mitigated (Article 36)
    • The record keeping requirements under Article 30
    • The need to report a data breach where the risk to individuals is “not material”
  • Introducing a new voluntary undertakings process. 

International Transfers

  • Adding more countries to the adequate list by “progressing an ambitious programme of adequacy assessments.”
  • Adding easier and more international transfer mechanisms.
  • Allowing repetitive use of Article 49 derogations.

PECR and Marketing 

  • Permitting organisations to use analytics cookies and similar technologies without the users’ consent. 
  • Permitting organisations to store information on, or collect information from, a user’s device without their consent for other limited purposes.
  • Extending “the soft opt-in” to electronic communications from organisations other than businesses where they have previously formed a relationship with the person, perhaps as a result of membership or subscription. 
  • Making it easier for political parties to use data for “political engagement”.
  • Increasing the fines that can be imposed under PECR to GDPR levels.

Other Proposals

  • Including “a clear test for determining when data will be regarded as anonymous” within the UK GDPR.
  • Introducing a fee regime (similar to that in the Freedom of Information Act 2000) for access to personal data held by all data controllers. 
  • Requiring the ICO to consider not just data protection but also “growth and innovation” as well as competition.

Businesses may welcome many of these proposals which they might see as limiting the administrative burden of the current data protection regime particularly reporting data breaches and conducting DPIAs. The Government also seems intent on liberalising access to data, to generate a broader market for it, which will suit the commercial interests of big business but at what privacy cost? The consultation runs until 19 November 2021.

What are your thoughts? Let us know in the comment field.

Our  GDPR Practitioner Certificate is our most popular certificate course available both online and classroom. We have added more dates.

Data Protection Officers and Conflicts of Interest

photo-1539795845756-4fadad2905ec

In May 2018, with the implementation of GDPR, some senior managers (and many junior ones) found themselves thrown into the then unknown statutory role of Data Protection Officer (“DPO”). Two years on, some now have a better understanding of their role whilst others are still battling to manage the many different requirements of the job.

Articles 38 and 39 of the GDPR outline the role of the DPO. They should, amongst other things, be:

  • involved in data breach discussions and investigations whilst being provided with adequate resource to fulfil their obligations;
  • not dismissed for the performance of their duties as DPO;
  • able to offer secrecy and confidentiality to data subjects in relation to data protection matters within the organisation; and
  • actively involved and consulted on the data processing risks associated to proposed data processing activities within the organisation, which are usually highlighted within the Data Protection Impact Assessment (DPIA).

The law is still in its infancy, and remains largely untested in the courts, but a recent case may lead to a few DPOs feeling a little nervous about their role.

€50,000 Fine

The Belgian Data Protection Authority recently issued a €50,000 fine to an organisation after it ruled that the organisation’s DPO had a conflict of interest under Article 38(6) of GDPR. The DPO had been employed by the organisation as the Head of Compliance, Risk Management and Audit in addition to acting as DPO.

A reportable data breach lead to an investigation by the Belgian regulator who sought to dig a little deeper into the organisation’s general approach to privacy compliance.
The investigation focussed on three main potential infringements of GDPR namely:

  1. The duty to cooperate with the data protection authority
  2. The accountability obligations of the organisation in relation to data breach notifications and data protection risk assessments
  3. The requirements related to the position of the DPO

The investigation found that the organisation’s DPO appointment failed to meet the requirements of the legislation as the individual was responsible for the processing of personal data in the areas of compliance, risk and audit and therefore could not independently advise on such matters.

Many data protection experts have interpreted this ruling as preventing any employee who is a “head of department” from carrying out the DPO rule without a conflict of interest, although the situation is not as clear cut.

Conflict of Interests

Whilst the employer will pay their salary, the DPO must be able to act independently and without fear or favour. The Article 29 Working Party’s Guidelines on DPO’s makes reference to a number of roles which would be considered to pose a conflict of interests with the position of DPO namely; Chief Executive, Chief Operating Officer, Chief Financial Officer, Chief Medical Officer, Head of Marketing, Head of HR and Head of IT.
All of these roles involve a significant amount of personal data processing and decision making, resulting in an impossible independent standpoint to be taken on data matters arising as a result.

This ruling presents an opportunity for organisations to review their DPO position.
Both the organisation and the individual must be clear about the role. The job description should be reviewed from time to time in the light of changing roles and responsibilities. This may flag up potential conflicts of interest.

It is common for DPOs, especially in the public sector, to wear many “hats” due to budget constraints. Whilst GDPR does allow this, if there is any doubt about a conflict of interests, the decision-making process should be documented and the position reviewed.
If any mitigating measures are to be put in place to reduce the risk of conflict these should be outlined and reviewed periodically as new risks and processing activities are presented to the organisation.

Data protection and privacy is an ever-changing area of compliance and in the coming years, more case law will be generated as the principles of the legislation are put to the test. With the end of the Brexit transition period approaching and changing uses of technology due to the global coronavirus pandemic, organisations will need to remain alert to potential issues arising from their original GDPR implementation plan.

Samantha Smith is a Data Protection Manager and qualified Solicitor with experience of data protection compliance projects across both public and private sectors. This and other GDPR developments will be covered in our new online GDPR update workshop. Our next online  GDPR Practitioner Certificate course is  fully booked. A few places are left  on the course starting in August.

%d bloggers like this: