Personal data: a new direction

Data protection has been a ‘hot topic’ for Boris Johnson’s government, both throughout Brexit negotiations and with a view to the future now the transition period is over. It is an area in which the government wants to flex the UK’s post Brexit freedom. The EU adopted a position of adequacy in relation to the UK’s data protection regime, allowing the personal data of EU citizens to flow unimpeded into the UK. This was on the proviso that our data protection legislation offered a similar level of protection to the GDPR. Our current data protection regime essentially mirrors the GDPR (now called the UK GDPR) and supplemented by The Data Protection Act 2018.

The government’s Taskforce on Innovation, Growth and Regulatory Reform (TIGRR), chaired by Sir Iain Duncan Smith, penned a report which took to task the ‘restrictive nature of today’s regulatory environment’ noting that such regulation is ‘Napoleonic’ in its approach. Among the key areas criticised and identified as in need of significant reform within the report was data protection; with a recommendation placed before the Prime Minister to create a ‘UK Data Protections Framework’.

Where are we now?

The government has commenced a consultation on what it proposes to change with a new data protection legislative framework. The headline changes are:

• Cookies – streamlining the consent process and removing website pop ups.
• PECR – raising the penalty limit for PECR breaches far beyond the current £500k limit.
• Legitimate interests legal basis – expanding and specifying the instances in which this legal basis can be used.
• DPOs and DPIAs – removing the necessity for the role of a specialised DPO within an organisation.
• Subject Access Requests (SARs) – introducing a nominal fee (not yet specified) which businesses can charge for responding to a SAR.
• Regulator reform – creating new strategic objectives for the regulator to ensure they have a business- centric, not a data subject focused, approach .

In day to day terms the removal of DPOs and cookies, and the introduction of a fee for SARs will be the most significant changes which organisations face and which will change the way they approach data protection.

Regulatory response

The ICO has published its lengthy response to the ongoing government consultation. It welcomed the government’s business-centric approach to data protection, in particular embracing the adaption of cookies and the consent pop-up, higher limits for PECR breaches and more detail surrounding the proposed legitimate interests legal basis. However, the ICO is more cautious about welcoming the removal of DPOs and the introduction of a fee for SARs as this would, in its view, have a serious impact on data subjects. Of most concern to the ICO is the proposed reform to its own regulatory powers. The government seeks to obtain the power to appoint the ICO’s CEO and approve any guidance it issues. This would place the ICO in a much closer, and more restrictive, relationship with the government and could impact its ability to function as an independent regulator.

As the consultation period ends and the government releases its plans for legislative changes, the ICO will provide further regulatory updates and guidance on the new legislation.

What does this mean for your organisation?

With the adequacy decision reached by the EU in June 2021, personal data can flow freely between the EU and UK. Some aspects earmarked for reform, including a more relaxed view on international data flow and reduced consent, may be a cause for concern to EU officials. While undertaking its reform the UK will have to tread a careful path to achieve the reform this government wants which could put them in direct opposition with the EU. The adequacy decision will be reviewed in June 2025 and the EU has made its position clear; should the UK move too far away from EU data protection legislation such a decision would be revoked. If revoked, the personal data of EU citizens would not be able to flow into the UK. This would have significant impact on businesses which rely on access to the EU market and the personal data of EU citizens.

The removal of the mandatory role of a DPO for some organisations, such as schools, academy trusts and health bodies may be a cause to rejoice. It has never been, nor is it still, the position that there has been enough expertise in the labour market to meet the demand for DPO expertise to properly meet the requirements of the role. In addition, many data protection professionals will recall the useful tool of a £10 fee for a SAR under the old 1998 data protection regime. The ICO may see this as a barrier, but for organisations it will be a calming measure to reduce the volume of SARs submitted as a nuisance or fishing expedition. The fee is nowhere near the true cost of completing a SAR, but did filter out requests where individuals were unwilling to pay.

For now, keep a close eye on developments as to when firm proposals come to fruition and draft legislation is laid before parliament. Many will remember the great rush to compliance ahead of 25 May 2018, but it is unlikely to feel as draconian. Clearly, at some point, policies and notices will need to be reviewed but that work is not yet called for. As we move towards the end of the consultation period Hill Dickinson will revisit this developing area and keep you abreast of the trajectory of travel.

Hill Dickinson advises various organisations in the public and private sector on their data protection compliance needs including regulatory investigations.  Please contact us if we can assist you with our expertise in this area.