Three New GDPR Workshops from Act Now Training

Act Now Training is pleased to announce three new additions to our GDPR workshop series

Data ethics is increasingly relevant to the role of information professionals. Just because the processing of personal data is lawful does not make it fair or ‘ethical’. And indeed, where something is fair it does not always mean it is lawful. Whilst the UK GDPR gives us some structure for working out what is a fair and proportionate use of personal data (and thus ethical), there can be a wide range of issues outside of the law to consider.  

Our Data Ethics workshop will explore what the term ‘Data Ethics’ actually means, the role it plays in the use of personal data (and indeed other data) and what practical steps information professionals can take to embed and promote data ethics within their organisations. From how to consider data ethics in DPIAs and sharing requests, through to embedding a practical data ethics framework in your organisation, we will pose questions, share experiences and best practice and where to find further guidance and support. 

A subject which has many ethical considerations is the use of Artificial Intelligence (also known as AI) and Machine Learning. AI is not coming; it is here. Whether ordering a taxi or submitting your tax return, AI is operating in the background. AI and Machine Learning have the capacity to improve our lives but, like all technologies, they have the potential to ruin lives too.  

Our new workshop, How to implement Good Information Governance into Artificial Intelligence & Machine Learning Projects, will explore exactly what ‘AI’ and ‘Machine Learning’ are and how they are starting to appear in the working environment. We will also explore the common challenges that these present focussing on GDPR as well as other information governance and records management issues.  Delegates will leave the workshop with practical ideas for how to approach Machine Learning and AI as well as awareness of key resources, current best practice and how they can keep up to date about a fast-developing area of technology. Think that AI is something for future generations to deal with? This workshop will make you think again!

The concepts of controller, joint controller and processor play a crucial role in the application of GDPR. They determine who is responsible for compliance with different data protection rules and how data subjects can exercise their rights in practice.  The precise meaning of these concepts and the criterion for their correct interpretation is the subject of much confusion. Incorrect interpretation can lead to the wrong allocation of data protection responsibilities leading to disputes when things go wrong. 

Our new workshop, Data Controller, Processor or Joint Controller: What am I?, will help both controllers and processors to understand their responsibilities and liabilities under GDPR and how to structure their relationships. This interactive workshop will explain the key differences between data controllers, joint controllers and data processors and what the roles and responsibilities are for each. By the end of this workshop, delegates will gain the confidence to decide on what an organisation’s role is under GDPR and how to manage the different relationships.

At Act Now we are always keen to hear from information governance professionals. If you have ideas for new workshops, or are interested in running one, please get in touch.

Google Analytics and GDPR Compliance: What next?

Google Analytics is a popular tool used by website owners across the world to observe and measure user engagement. In February 2022, the French Data Protection Regulator, CNIL, ruled that use of Google Analytics was a breach of GDPR. This followed a similar decision by Austrian Data Protection Authority in January. 

Is a website owner processing personal data by making use of Google Analytics? On the face of it, the answer should be no. Google Analytics only collects information about website visitors, such as which pages they access and where they link from. The website owners do not see any personal data about visitors. However, Google does assign a unique user identification number to each visitor which it can use to potentially identify visitors by combining it with other internal resources (just think of the vast amount of information which is collected by Google’s other services). 

The fact that the above mentioned French and Austrian decisions ruled that analytics information is personal data under GDPR does not in its itself make the use of Google Analytics unlawful. Of course website owners need to find a GDPR Article 6 condition for processing (Lawfulness) but this is not an insurmountable hurdle. Legitimate interests is a possibility although the UK Information Commissioner’s Office (ICO) holds the view that use of analytics services is not “strictly necessary” in terms of the PECR cookie rules and its own cookie banner, adopts the express consent approach.  

A bigger obstacle to the use of Google Analytics in Europe is the fact that website users’ personal data is being passed back to Google’s US servers. In GDPR terms that is a “restricted transfer” (aka international transfer). Following the judgment of the European Court of Justice (ECJ) in “Schrems II”, such transfers have been problematic to say the least.  In Schrems, the ECJ concluded thatorganisations that transfer personal data to the USA can no longer rely on the Privacy Shield Framework. They must consider using the Article 49 derogations or standard contractual clauses(SCCs). If using the latter, whether for transfers to the USA or other countries, the ECJ placed the onus on the data exporters to make a complex assessment about the recipient country’s data protection legislation, and to put in place “additional measures” to those included in the SCCs. The problem with the US is that it has stringent surveillance laws which give law enforcement agencies access to personal data without adequate safeguards (according to the ECJ in Schrems).

In France, the CNIL has ordered the website which was the subject of its ruling about Google Analytics to comply with the GDPR and “if necessary, to stop using this service under the current conditions”, giving it a deadline of one month to comply. The press release, announcing the decision, stated:

“Although Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for U.S. intelligence services.”

“There is therefore a risk for French website users who use this service and whose data is exported.”

The CNIL decision does leave open the door to continued use of Google Analytics but only with substantial changes that would ensure only “anonymous statistical data” gets transferred. It also suggests use of alternative toosl which do not involve a transfer outside the EU. Of course the problem will be solved if there is a new agreement between the EU and U.S. to replace the Privacy Shield. Negotiations are ongoing.

In the meantime, what can UK based website owners do. Should they stop using Google Analytics? Some may decide to adopt a “wait and see” approach. The ICO has not really shown any appetite to enforce the Schrems decision concentrating instead on alternative transfer tools including International Data Transfer agreement which comes into force tomorrow. Perhaps a better way is to assess which services, not just analytics services, involve transfers to the US and switch to EU based services instead.  

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop on Wednesday. We also have a few places left on our Advanced Certificate in GDPR Practice course starting in April.

advanced_cert
https://www.actnow.org.uk/advancedcert

The New Isle of Man GDPR Handbook

Act Now Training is pleased to announce the launch of the new Isle of Man GDPR Handbook. The handbook is designed for data protection practitioners and legal advisers who require a reference guide to the Isle of Man Data Protection regime. It has been published following the success of the Act Now UK GDPR and EU GDPR handbooks.

The IoM GDPR handbook sets out the full text of the EU GDPR as it applies to the Isle of the Man (Applied GDPR) together with cross referenced recitals. Isle of Man specific amendments, insertions and deletions are clearly indicated to allow users to easily identify what has been changed from the original EU text. Relevant provisions of the Implementing Regulations have been included where they contribute to the further understanding of the Applied GDPR. Guidance from the Isle of Man Information Commissioner and the European Data Protection Board is also signposted to assist users when interpreting the legislation. 

Ibrahim Hasan, the editor of the IoM GDPR Handbook, said:

“I am really pleased with the publication of the Isle of Man GDPR Handbook. We wanted to fulfil the need of data protection practitioners in the Ise of Man to have access to a clear and easy to follow publication to help them navigate their way around this complex legislation.”

Isle of Man delegates who book our new IoM GDPR Practitioner Certificate course will receive a complimentary copy of this handbook as part of their course materials. 

EARLY BIRD DISCOUNT

The RRP of the Isle of Man GDPR handbook is £54.99 (plus postage and packing). There is an early bird discount of 15% off the RRP until 3pm on 17th March 2022. Please quote the discount code “IoM15” when placing your order here. 

Act Now in Dubai 

Last week the Act Now team returned from a trip to the United Arab Emirates to promote our Middle East training programme. It was a great opportunity to better understand the UAE privacy framework and the needs of businesses faced with the challenge of implementing new laws (as well as get some sun!) 

The Middle East is fast catching up with Europe when it comes to data protection law.
The UAE recently enacted a federal law to comprehensively regulate the processing of personal data in all seven emirates. This will sit alongside current data protection laws regulating businesses in the various financial districts such as the Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020 and the Abu Dhabi Global Market (ADGM) Data Protection Regulations 2021. In addition there are a number of sector specific laws in the UAE which address personal privacy and data security.
Saudi Arabia, Bahrain and Qatar also now have comprehensive data protection laws. 

Whilst in Dubai we met with a number of potential clients, consultancies and law firms specialising in data protection. It was a great opportunity to discuss the changing privacy landscape and how Act Now can assist in developing the understanding of the legislation and its practical implementation. We had some interesting discussions about the changing privacy attitudes around the world, the power of Big Tech and increasing use of AI. 

We also had meetings with data protection regulators in Dubai and Abu Dhabi. We were impressed by their commitment to educating businesses about the new laws and their practical advice to reduce the burden of implementation. They emphasised the importance of embedding a privacy culture in organisations and an understanding of the UAE laws as standalone privacy laws and not just “importing of GDPR”. A special thank you to Lori Baker at the DIFC and Sayid Madar at the ADGM for taking time out of their busy schedules to meet us.  

During our last trip to Dubai in 2018 there was very little awareness of data protection law amongst businesses and compliance seemed to be geared around GDPR. This time on our travels (and shopping trips) we certainly noticed a more serious attitude amongst larger businesses to try and get data protection right. We saw  privacy notices in most official forms, CCTV signs in malls and even a privacy notice recording when ringing our hotel.  

The introduction and/or revision of privacy law in the Middle East is an important development which further proves that data protection is a truly global issue.
Many organisations may need to appoint a Data Protection Officer as part of the new legal framework. Even where they do not need a DPO they will certainly need someone to drive forward compliance and liaise with regulators. This opens up opportunities for UK and EU Data Protection professionals especially as the new laws have some alignment with  the EU General Data Protection Regulation (GDPR)  and the  UK GDPR
 

These are exciting times for data protection professionals. For those seeking a fresh new challenge and the opportunity to spread the data protection message to new jurisdictions, now is the time to brush up on Middle East data protection laws. See photos of our trip below. Sun, sea and subject access awaits! 

Cabinet Office Receives £500,000 GDPR Fine

The Information Commissioner’s Office (ICO) has fined the Cabinet Office £500,000 for disclosing postal addresses of the 2020 New Year Honours recipients online.

The New Year Honours list is supposed to “recognise the achievements and service of extraordinary people across the United Kingdom.” However in 2020 the media attention was on the fact that, together with the names of recipients, the Cabinet Office accidentally published their addresses; a clear breach of the General Data Protection Regulation (GDPR) particularly the sixth data protection principle and Article 32 (security).

The Honours List file contained the details of 1097 people, including the singer Sir Elton John, cricketer Ben Stokes, the politician Iain Duncan Smith and the TV cook Nadiya Hussain. More than a dozen MoD employees and senior counter-terrorism officers as well as holocaust survivors were also on the list which was published online at 10.30pm on Friday 26th December 2019. After becoming aware of the data breach, the Cabinet Office removed the weblink to the file. However, the file was still cached and accessible online to people who had the exact webpage address.

The personal data was available online for a period of two hours and 21 minutes and it was accessed 3,872 times. The vast majority of people on the list had their house numbers, street names and postcodes published with their name. One of the lessons here is, always have a second person check the data before pressing “publish”.

This is the first ever GDPR fine issued by the ICO to a public sector organisation. A stark contrast to the ICO’s fines under the DPA 1998 where they started with a local authority. Article 82(1) sets out the right to compensation:

“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”

It will be interesting to see how many of the affected individuals pursue a civil claim. 

(See also our blog post from the time the breach was reported.)

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. We have a one place left on our Advanced Certificate in GDPR Practice course starting in January.

Footballers’ Personal Data: Ibrahim Hasan’s BBC Interview

fringer-cat-hddmxlpafgo-unsplash

On Tuesday there was an interesting story in the media about a group of footballers threatening legal action and seeking compensation for the trade in their personal data. 

The use of data is widespread in every sport. It is not just used by clubs to manage player performance but by others such as betting companies to help them set match odds. Some of the information may be sold by clubs whilst other information may be collected by companies using public sources including the media.

Do footballers have rights in relation to this data? Can they use the GDPR to seek compensation for the use of their data?

On Tuesday, Ibrahim Hasan gave an interview to BBC Radio 4’s (PM programme) about this story. You can listen below:

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. We have a few places left on our Advanced Certificate in GDPR Practice course starting in November.

Ring Doorbells, Domestic CCTV and GDPR

The Daily Mail reports today that, “A female doctor is set to be paid more than £100,000 after a judge ruled that her neighbour’s Ring smart doorbell cameras breached her privacy in a landmark legal battle which could pave the way for thousands of lawsuits over the Amazon-owned device.”

Dr Mary Fairhurst, the Claimant, alleged that she was forced to move out of her home because the internet-connected cameras are so “intrusive”. She also said that the Defendant, Mr Woodard, had harassed her by becoming “aggressive” when she complained to him.

A judge at Oxford County Court, ruled yesterday that Jon Woodard’s use of his Ring cameras amounted to harassment, nuisance and a breach of data protection laws. The Daily Sage goes on to say:

“Yesterday’s ruling is thought to be the first of its kind in the UK and could set precedent for more than 100,000 owners of the Ring doorbell nationally.”

Before Ring doorbell owners rush out to dismantle their devices, let’s pause and reflect on this story. This was not about one person using a camera to watch their house or protect their motorbike. The Defendant had set up a network of cameras around his property which could also be used to watch his neighbour’s comings and goings. 

Careful reading of the judgement leads one to conclude that the legal action brought by the Claimant was really about the use of domestic cameras in such a way as to make a neighbour feel harassed and distressed. She was primarily arguing for protection and relief under the Protection from Harassment Act 1997 and the civil tort of nuisance. Despite the Daily Mail’s sensational headline, the judgement does not put domestic CCTV camera or Ring doorbell owners at risk of paying out thousands of pounds in compensation (as long as they don’t use the cameras to harass their neighbours!). However, it does require owners to think about the legal implications of their systems. Let’s examine the data protection angle.

Firstly, the UK GDPR can apply to domestic CCTV and door camera systems. After all, the owners of such systems are processing personal data (images and even voice recordings) about visitors to their property as well as passers-by and others caught in the systems’ peripheral vision.  However, on the face of it, a domestic system should be covered by Article 2(2)(a) of the UK GDPR which says the law does not apply to “processing of personal data by an individual in the course of purely personal or household activity.” Recital 18 explains further:

“This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities.”

The judge in this case concluded that the camera system, set up by the Defendant, had collected data outside the boundaries of his property and, in the case of one specific camera, “it had a very wide field of view and captured the Claimant’s personal data as she drove in and out of the car park.” This would take the system outside of the personal and household exemption quoted above, as confirmed by the Information Commissioner’s CCTV guidance:

“If you set up your system so it captures only images within the boundary of your private domestic property (including your garden), then the data protection laws will not apply to you.

But what if your system captures images of people outside the boundary of your private domestic property – for example, in neighbours’ homes or gardens, shared spaces, or on a public footpath or a street?

Then the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA18) will apply to you, and you will need to ensure your use of CCTV complies with these laws.”

Once a residential camera system comes under the provisions of the UK GDPR then of course the owner has to comply with all the Data Protection Principles including the obligation to be transparent (through privacy notices) and to ensure that the data processing is adequate, relevant and not excessive. Data Subjects also have rights in relation to their data including to see a copy of it and ask for it to be deleted (subject to some exemptions).

Judge Clarke said the Defendant had “sought to actively mislead the Claimant about how and whether the cameras operated and what they captured.” This suggests a breach of the First Principle (lawfulness and transparency). There were also concerns about the amount of data some of the cameras captured (Fourth Principle).

Let’s now turn to the level of compensation which could be awarded to the Claimant. Article 82 of the UK GDPR does contain a free standing right for a Data Subject to sue for compensation where they have suffered material or non-material damage, including distress, as a result of a breach of the legislation. However, the figure mentioned by the Daily Mail headline of £100,000 seems far-fetched even for a breach of harassment and nuisance laws let alone GDPR on its own. The court will have to consider evidence of the duration of the breach and the level of damage and distress cause to the Claimant. 

This judgement does not mean that Ring door camera owners should rush out to dismantle them before passing dog walkers make compensation claims. It does though require owners to think carefully about the citing of cameras, the adequacy of notices and the impact of their system on their neighbour’s privacy. 

The Daily Mail story follows yesterday’s BBC website feature about footballers attempting to use GDPR to control use of their performance data (see yesterday’s blog and Ibrahim Hasan’s BBC interview). Early Christmas gifts for data protection professionals to help them highlight the importance and topicality of what they do!

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. We have a few places left on our Advanced Certificate in GDPR Practice course starting in November.

Ronaldo’s Data and GDPR: Who said data protection is boring?

There is an interesting story this morning on the BBC website about a group of footballers threatening legal action and seeking compensation for the trade in their personal data. The use of data is widespread in every sport. It is not just used by clubs to manage player performance but by others such as betting companies to help them set match odds. Some of the information may be sold by clubs whilst other information may be collected by companies using public sources including the media.  

Now 850 players (Ed – I don’t know if Ronaldo is one of them but I could not miss the chance to mention my favourite footballer!), led by former Cardiff City manager Russell Slade, want compensation for the trading of their performance data over the past six years by various companies. They also want an annual fee from the companies for any future use. The data ranges from average goals-per-game for an outfield player to height, weight and passes during a game. 

BBC News says that an initial 17 major betting, entertainment and data collection firms have been targeted, but Slade’s Global Sports Data and Technology Group has highlighted more than 150 targets it believes have “misused” data. His legal team claim that the fact players receive no payment for the unlicensed use of their data contravenes the General Data Protection Regulation (GDPR). However, the precise legal basis of their claim is unclear. 

In an interview with the BBC, Slade said:

“There are companies that are taking that data and processing that data without the individual consent of that player.”

This suggests a claim for breach of the First Data Protection Principle (Lawfulness and Transparency). However, if the players’ personal data is provided by their clubs e.g., height, weight, performance at training sessions etc. then it may be that players have already consented (and been recompensed for this) as part of their player contract. In any event, Data Protection professionals will know that consent is only one way in which a Data Controller can justify the processing of personal data under Article 6 of GDPR. Article 6(1)(f) allows processing where it:

“is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data… .”

Of course, this requires a balancing exercise considering the interests pursued by the clubs and data companies and the impact on individual players’ privacy. Some would argue that as far as public domain information is concerned, the impact on players’ privacy is minimal. However, “the interests or fundamental rights and freedoms of the data subject’ also include reputational damage, loss of control and financial loss, all of which it could be argued result from the alleged unauthorised use of data.

The BBC article quotes former Wales international Dave Edwards, one of the players behind the move:

“The more I’ve looked into it and you see how our data is used, the amount of channels its passed through, all the different organisations which use it, I feel as a player we should have a say on who is allowed to use it.”

The above seems to suggest that the players’ argument is also about control of their personal data. The GDPR does give players rights over their data which allow them to exercise some element of control including the right to see what data is held about them, to object to its processing and to ask for it to be deleted. It may be that players are exercising or attempting to exercise these rights in order to exert pressure on the companies to compensate them.

Without seeing the paperwork, including the letters before action which have been served on the companies, we can only speculate about the basis of the claim at this stage. Nonetheless, this is an interesting case and one to watch. If the claim is successful, the implications could have far-reaching effects beyond football. Whatever happens it will get data protection being talked about on the terraces!

Ibrahim Hasan, solicitor and director of Act Now Training, has given an interview to BBC Radio 4’s (PM programme) about this story. You can listen again here (from 39) minutes onwards.

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. We have a few places left on our Advanced Certificate in GDPR Practice course starting in November.

Online GDPR Practitioner Certificate: Going from Strength to Strength

caleb-woods-RIcMwDLk1wo-unsplash

Act Now Training would like to congratulate all our delegates who have recently completed our online GDPR Practitioner Certificate.

At the start of the Pandemic, we decided to offer our flagship classroom based GDPR Practitioner Certificate as an online option. We redesigned the course for the online world with even more emphasis on practical exercises and case studies to try and recreate the classroom learning environment. Delegates receive all the fantastic features of our classroom course but in a live online learning environment accessible from anywhere in the world.

The course is aimed at those undertaking the role of Data Protection Officer under GDPR whether in the public or the private sector. It teaches delegates all the essential GDPR skills and knowledge. The course takes place over four days (one day per week) and involves lectures, assessments and exercises. This is followed by a written assessment. Candidates are then required to complete a practical project (in their own time) to achieve the certificate.

In less than 18 months, 178 delegates have completed the course representing a diverse range of organisations including private companies, councils, universities and government departments. We have even had delegates from the Houses of Parliament, Gibraltar and the Isle of Man. 

Read some of the delegate feedback below:

“The GDPR Practitioner Certificate course was really excellent.  The content was thorough and tied in with real life situations to really embed the learning.  It has really helped me in my role, even after the first week I had new practical skills I could use in my daily work life.” KL, Kent County Council

“Very useful, insightful course that provided hands on practical tips on GDPR implementation within our business.” AD, Danske Bank

“The course was delivered at a pace that suited the learners and with ample opportunities to revisit tricky topics or ask for clarification. The supplied learning materials were comprehensive and genuinely added value to the learning experience.” Nigel Leech, CEFAS

“The course was the right balance between overall guidance and detailed information presented in an easy and understandable format.” RR, Chugai Pharma Europe Ltd

​“The course delivered through Act Now was not only educational but informative.
The teaching skills were excellent, I felt at ease in the class and came away with a tremendous amount of knowledge that I can use in everyday situations. Thank you.”
HB, Foseco International Limited

Our next online GDPR Practitioner Certificate courses start in October. We also have a classroom course starting in November in Manchester. 

For those who have successfully completed our GDPR Practitioner Certificate, we have one place left on our Advanced Certificate in GDPR Practice course starting in October. 

Government Consultation: Are you ready for UK GDPR 2.0?

On 10 September 2021, the UK Government launched a consultation entitled “Data: A new direction” intended “to create an ambitious, pro-growth and innovation-friendly data protection regime that underpins the trustworthy use of data.” Cynics will say that it is an attempt to water down the UK GDPR just a few months after the UK received adequacy status from the European Union. 

Back in May, the Prime Ministerial Taskforce on Innovation, Growth, and Regulatory Reform (TIGRR) published a 130-page report setting out a “new regulatory framework for the UK. Saying that the current data protection regime contained too many onerous compliance requirements, it suggested that the government: 

“Replace the UK GDPR with a new, more proportionate, UK Framework of Citizen Data Rights to give people greater control of their data while allowing data to flow more freely and drive growth across healthcare, public services and the digital economy.” 

Many of the recommendations made in the TIGRR Report can be found in the latest consultation document:

Research and Re Use of Data

  • Consolidating and bringing together research-specific provisions in the UK GDPR, “bringing greater clarity to the range of relevant provisions and how they relate to each other.” 
  • Incorporating a clearer definition of “scientific research” into the legislation. 
  • Clarifying in legislation how university research projects can rely on tasks in the public interest (Article 6(1)(e) of the UK GDPR) as a lawful ground for personal data processing. 
  • Creating a new, separate lawful ground for research, subject to suitable safeguards. 
  • Clarifying in legislation that data subjects should be allowed to give their consent to broader areas of scientific research when it is not possible to fully identify the purpose of personal data processing at the time of data collection.
  • Stating explicitly that the further use of data for research purposes is both always compatible with the original purpose and lawful under Article 6(1) of the UK GDPR. 
  • Replicating the Article 14(5)(b) exemption (disproportionate effort) in Article 13 (privacy notice), limited only to controllers processing personal data for research purposes.
  • Amending the law to facilitate innovative re-use of data for different purposes and by different data controllers.
  • Creating a limited, exhaustive list of legitimate interests for which organisations can use personal data without applying the balancing test “in order to give them more confidence to process personal data without unnecessary recourse to consent.” 

AI, Machine Learning and Automated Decision Making

  • Stipulating that processing personal data for the purposes of ensuring bias monitoring, detection and correction in relation to AI systems constitutes a legitimate interest in the terms of Article 6(1)(f) for which the balancing test is not required. 
  • Enabling organisations to use personal data and sensitive personal data for the purpose of managing the risk of bias in their AI systems by amending/clarifying the legitimate interests ground under Art 6 and clarifying/amending schedule 1 of the DPA 2018 (Special Category Data Processing).
  • Removing Article 22 of UK GDPR (the right not to be subject to a decision resulting from solely automated processing if that decision has significant effects on the individual) and permitting solely automated decision making subject to compliance with the rest of the data protection legislation. 

Accountability

  • Allowing data controllers to implementing a more flexible and risk-based accountability framework, which is based on privacy management programmes, that reflects the volume and sensitivity of the personal information they handle, and the type(s) of data processing they carry out. 
  • To support the implementation of the new accountability framework the government intends to remove the requirement to:
    • Consult the ICO in relation to high-risk personal data processing that cannot be mitigated (Article 36)
    • The record keeping requirements under Article 30
    • The need to report a data breach where the risk to individuals is “not material”
  • Introducing a new voluntary undertakings process. 

International Transfers

  • Adding more countries to the adequate list by “progressing an ambitious programme of adequacy assessments.”
  • Adding easier and more international transfer mechanisms.
  • Allowing repetitive use of Article 49 derogations.

PECR and Marketing 

  • Permitting organisations to use analytics cookies and similar technologies without the users’ consent. 
  • Permitting organisations to store information on, or collect information from, a user’s device without their consent for other limited purposes.
  • Extending “the soft opt-in” to electronic communications from organisations other than businesses where they have previously formed a relationship with the person, perhaps as a result of membership or subscription. 
  • Making it easier for political parties to use data for “political engagement”.
  • Increasing the fines that can be imposed under PECR to GDPR levels.

Other Proposals

  • Including “a clear test for determining when data will be regarded as anonymous” within the UK GDPR.
  • Introducing a fee regime (similar to that in the Freedom of Information Act 2000) for access to personal data held by all data controllers. 
  • Requiring the ICO to consider not just data protection but also “growth and innovation” as well as competition.

Businesses may welcome many of these proposals which they might see as limiting the administrative burden of the current data protection regime particularly reporting data breaches and conducting DPIAs. The Government also seems intent on liberalising access to data, to generate a broader market for it, which will suit the commercial interests of big business but at what privacy cost? The consultation runs until 19 November 2021.

What are your thoughts? Let us know in the comment field.

Our  GDPR Practitioner Certificate is our most popular certificate course available both online and classroom. We have added more dates.

%d bloggers like this: