Following on from my blog post in February, the Queen’s Speech in May confirmed the UK Government’s intention to overhaul the UK data protection regime. The Government’s view is that “the UK General Data Protection Regulation and Data Protection Act 2018 are highly complex and prescriptive pieces of legislation … [that] encourage excessive paperwork, and create burdens on businesses with little benefit to citizens.”. A Data Reform Bill is expected to be put forward during the Summer, which will mark the beginning of its journey through the Parliamentary process.
These reforms are likely to be based on the DCMS “Data: A New Direction” consultation, which shared various proposals including:
Removal of the requirement to keep records of data processing activities – We currently have to maintain a Record of Processing Activities (RoPA)/Data Inventory covering some mandatory details of data under our control. The consultation suggested introducing more flexibility in the form and content of these.
Removal of the requirement to appoint a Data Protection Officer (DPO) – the current regime requires our authorities to appoint a DPO with an “expert knowledge of data protection law and practices”, and register their details with the Information Commissioners Office. It is proposed to relax this and allow organisations to simply internally designate individuals to oversee compliance.
Changes to Rights Requests – it is argued that there is a high administrative burden on organisations dealing with Rights Requests (such as Subject Access Requests). Proposed changes include introducing a cost ceiling, and a reduction in the threshold for a request being refused (currently the request must be demonstrably “manifestly unfounded” in order to refuse)
Removal of the requirement for Data Protection Impact Assessments (DPIAs) – Currently, a DPIA must be conducted prior to undertaking large processing which may result in a high risk to individuals (such as processing of Special Category data). It is proposed to allow organisations to adopt approaches relevant to their specific circumstances.
Breach Reporting Threshold changes – We must report any breach at present unless it is “unlikely” to result in a risk to the rights of the subject. The consultation suggests amending this threshold to require reports only if the risk is “material”.
The Government states that any changes in the Bill will ensure that “UK citizens’ personal data is protected to a gold standard”, and that over £1 billion of savings could be realised by businesses in the ten years following introduction, citing smaller organisations being freed from some of the regulatory burdens that they currently need to resource. The other side of the coin is that many organisations, including most of ours, have already invested significant time and resources into achieving compliance with the current laws, with the GDPR itself being only six years old – there will be some trepidation no doubt as we wait to see what is proposed in the upcoming Bill.
Finally, is the question of “Adequacy” – significant changes and/or departure from the EU GDPR could affect the EU’s adequacy decision in the UK’s data protection regime, which could have serious implications for UK organisations reliant on data flows to and from EU countries.
Watch this space for more when the Bill is published!
APP Cx Community Leadership Team