UK Data Protection reforms: a brief look at the government’s key proposals

The UK Government has confirmed its proposed reforms to the UK data protection legislation following a recent consultation. Here is a summary of the key proposed changes.

Reducing the regulatory burden

The reforms aim to deliver greater flexibility and more proportionate and targeted compliance requirements.

Privacy Management Programmes

Privacy Management Programmes will replace some of the more prescriptive elements of the UK GDPR. These changes will include:

• removing the requirement to appoint a Data Protection Officer (DPO) and replacing it with a requirement to appoint a senior responsible individual to oversee data protection compliance
• retaining the requirement for businesses to identity and manage risks but removing the need to conduct data protection impact assessments (DPIAs) in their current form, allowing greater flexibility to businesses in meeting this requirement
• removing the Article 30 requirement to maintain Records of Processing Activities (RoPAs) and replacing it with a more flexible requirement to maintain personal data inventories as part of their privacy management programme which describes what and where personal data is held, why it has been collected and how sensitive it is.

Data Subject Access Requests (DSARs)

The government plans to proceed with changing the threshold for refusing to respond to a DSAR or charging a reasonable fee for a subject access request from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’, which will bring it in line with the Freedom of Information Act regime.

Privacy and Electronic Communications Regulations 2003 (PECR)

While the majority of the government’s consultation focused on the UK GDPR and the Data Protection Act 2018, it also considered possible changes to PECR, which supplements the UK GPDR with specific rules relating to confidentiality of terminal equipment (e.g. cookie rules), direct marketing and security of communications.

These changes will include:

• removing the requirement for websites to display cookie banners to UK residents and allowing cookies (and similar technologies) to be placed on a user’s device without explicit consent for a small number of other non-intrusive purposes. Longer-term, the intention is to move to an opt-out model of consent, meaning cookies could be set without first seeking consent provided that the user is given clear information about how to opt-out of the use of cookies and that they can easily do so
• extending the soft opt-in model to non-commercial organisations such as charities. This will allow businesses to contact such organisations for marketing purposes without explicit consent, provided that they have previously been in contact with the organisation during a sale or transaction and the organisation is given the opportunity to opt-out of such communications
• increasing the enforcement regime for PECR in line with the UK GDPR and DPA 2019, allowing the ICO to levy fines of up to £17.5m or 4% of a business’ global turnover in instances of non-compliance.

Promoting innovation and use of data

A key focus of the government’s consultation was a recognition of the importance of innovation and the responsible use of personal data to promote scientific discovery and allow cutting-edge technology to deliver benefits to the economy.

Some of the proposed reforms focus on creating more certainty for organisations about when and how they can responsibly use personal data. These proposals include:

• creating a new statutory definition of “scientific research” to provide clarity for researchers and provide more certainty, based on recital 159 of the UK GDPR
• clarifying the rules on re-use or further processing of personal data for research purposes, including where there has been a change of controller, or where the original legal basis for processing was consent
• clarifying the rules of using broad consent, which allows scientific research to use a less specific form of consent when it is not possible to fully identify the purpose of the processing at the point of data collection
• producing further guidance on when data can be considered “anonymised”

Reducing barriers to data flow

The government has confirmed it will adopt a risk-based approach to adequacy decisions which will retain the same broad standard that a country needs to meet in order to be found adequate, while allowing the Secretary of State greater flexibility to make adequacy decisions based on a desire to facilitate international data flows where a country meets the UK’s high data protection standards.

The above is just a quick summary of some of the key changes proposed by the government. If you would like to discuss any data protection issues in any more detail, please contact our Commercial Team who will be happy to help.