UK GDPR Reforms – a practical perspective

Let’s take a look at the key areas in the government’s response to the DMCS consultation and – if they get through into law – what changes, challenges or opportunities they represent.

(Video below hosted on YouTube, where you’ll be subject to their cookies/Privacy Policy)

Scope

There’s no change to what is or isn’t personal data and no change to territorial scope. If UK GDPR, DPA or PECR apply to you now, that won’t change.

Definitions

A few minor changes in practice. The government will push forward with clarifying certain themes in the law itself. Some of this may simply move wording from recitals into definitions, some will need more. None of this should have a major effect on your practical compliance.

Research

Research was a big area in the consultation. The main items moving forward are:

•  a new definition for scientific research based on Recital 159.
• clarification on ‘broad consent’ for research purposes which will need to be looked at carefully.

Linked to research, there’s going to be clarification of what constitutes re-purposing as opposed to further processing, plus two specific changes:

• that re-purposing when the legal basis was consent will not be possible subject to limited exceptions; and
• clarifying further processing for an incompatible purpose when based on a law that safeguards important public interest – another item to wait to see exactly what that looks like.

Anonymisation

On anonymisation, the government wants to clarify ‘when a living individual is identifiable’, that the test for identifiability is a relative one, and is based on the wording in the Explanatory Report to the Council of Europe’s Convention 108+ (see page 18) including:

‘Data is to be considered as anonymous only as long as it is impossible to re-identify the data subject or if such re-identification would require unreasonable time, effort or resources, taking into consideration the available technology at the time of the processing and technological developments.’ 

What won’t go forward

There’ll be no definition of ‘substantial public interest’.

So what about the core rules of GDPR, its principles and legal bases?

GDPR’s Principles

Easy – there’ll be NO change to GDPR’s Principles. These will continue to drive your Privacy Governance. No surprise here, they’re contained one way or another in the OECD Guidelines and Convention 108. 

GDPR’s Legal Bases

And there’ll be NO new legal bases in GDPR either, but … how and when you can use some of them will slightly change. There’s also be some changes to the conditions on processing special category personal data in AI, which will go into Schedule 1 of the UK DPA.

Let’s take a closer look.

Legitimate Interests

There will be a list of activities where the Legitimate Interest balancing test is not required, but:

• the list will be much much shorter than the proposed activities, with a power to update the list, and
• the list generally won’t apply when children are involved unless it’s for example for safeguarding issues.

Legitimate Interests and Consent

On cookies you generally need to obtain Consent apart from a tightly-defined category of cookies that are necessary for delivering a communication or requested ‘information society service’, basically an online service. Currently, for that ‘strictly necessary’ subset, and that subset alone, you can use Legitimate Interests.

The government’s response on cookies wants to extend the category of cookies where consent is not needed to include traffic and performance cookies.

• This generally mirrors what’s happening with the draft e-Privacy Regulation. so it’s tracking development of EU law and sounds reasonable. You’ll be able to use Legitimate Interests for a broader range of cookies (still not for marketing though).

The proposals on banning cookie banners, and moving to an opt-out system will wait until technology allows for users to easily signals their preferences through, for example, their browse. We’re not there yet.

Public Task

The government plans to clarify which lawful grounds for processing are available to organisations under Article 6 of the UK GDPR when they are requested by a public body to help deliver a public task.

In particular they want to clarify when private entities can rely on the public task ground in Article 6(1)(e) when they’re acting on behalf of a public entity in performing its tasks. This will be very helpful to a small set of businesses.

Sensitive personal data & AI

There’ll be a new condition in Schedule 1 of the UK DPA to enable the processing of sensitive personal data for the purpose of monitoring and correcting bias in AI systems (this won’t be in the ‘Legitimate Interests list’, so balancing tests will still need to be done if LI is relied on). 

The government’s response uses ‘sensitive personal data’ which typically means both special categories and criminal, but we’ll need to wait to see the wording.

Let’s turn to data subject rights, or DSRs, which was another high-profile part of the consultation.

DSRs

There are 2 main things to note on DSRs:

• Almost the only change is that there’ll be a change in the wording for when you can reject or charge for a DSR, from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’. We’ll all need guidance on the actual impact of this change, as the government’s response suggests they may have quite a broad view of this or that they want teh same meaning as in the context of FOIA (Freedom of Information Act).
• And Article 22 remains. That’s the right to have a human review of automated decisions which have legal or similarly significant effects on you, the data subject. The ‘vast majority of respondents’ opposed the proposal to remove Article 22. While it will remain, there will be some clarification on when it applies.

AI

On Artificial Intelligence or AI, we’ve already covered the only main item going ahead:

• that there’ll be a new condition in Schedule 1 of the UK DPA for using sensitive personal data for monitoring and correcting bias in AI systems

Things that aren’t going ahead (or fully or at least right now):

• as we’ve seen, the removal of the right to human review in Article 22 isn’t going ahead, there’ll just be some clarification of some sort on when it applies.
• on transparency and AI, the government is holding off legislation right now, stating that the recently launched Algorithmic Transparency Standard encompasses the categories recommended for transparency reporting during the consultation process. They’ll move this topic forward separately, and
• the proposals on transparency of automated decision making in public sector are not going ahead.

Accountability

Accountability is the area with the biggest practical changes – but then again, maybe not!

The DCMS consultation paper says (para 158): ‘… a strong privacy management programme is likely, in practice, to exhibit many of the same features as the current legislation …’. 

There’s no change to security obligations, use of processors, joint controllers and more. So where ARE the issues? Well, it’s DPOs, DPIAs, and Article 30 Records of Processing Activities or RoPAs. Let’s see what’s being moved forward.

DPOs

Even though the government says the majority of responses disagreed with removing DPOs, they’re pressing ahead anyway. DPOs will be replaced with a ‘new requirement to appoint a senior responsible individual’ to oversee Data Protection. 

Many think that the ‘no conflict rule’ has been a fatal flaw in the DPO regime: it’s incredibly hard for anyone appropriate in an organisation not to be conflicted, and external DPOs can often be pressured to do work that creates such a conflict. 

But this proposal seems – if anything – to make it harder for UK organisations.

• For one, it’s not clear whether all organisations must appoint a senior responsible individual or only those who under GDPR would need to appoint a DPO- which is hardly any private entity in reality. It looks like all organisations.
• And the consultation sets out a lot of obligations for the responsible individual. As examples, the responsible individual will develop and implement a privacy management programme including:

• • policies, procedures,
  • evidence of appropriate reporting to senior management,
  • personal data inventories which describe and explain what data is held, where it is held, why it has been collected and how sensitive it is,
  • risk assessment tools for the identification, assessment and mitigation of privacy risks across the organisation, and
  • operate plans and processes to monitor, assess, review and revise the privacy management programme periodically, as necessary.

And the Government response says ‘Most of the tasks of a data protection officer will become the ultimate responsibility of a designated senior individual to oversee as part of the privacy management programme.’ 

At the moment, the consultation seems to set out more express obligations for (possibly) more organisations than the DPO requirements and accountability rules in GDPR. 

DPIAs

We’ve already seen that risk assessments will still be needed – as appropriate. But then DPIAs aren’t always needed under GDPR at all, they’re only needed when there’s a likely high risk to data subjects rights and freedoms.

In their response, the Government notes, again, that the majority of respondents agreed that DPIA requirements are helpful and disagreed with the proposal to remove them – but they’re going forward to remove them anyway.

The government says:

‘Under the new privacy management programme, organisations will still be required to identify and manage risks, but they will be granted greater flexibility as to how to meet these requirements. For example, organisations will no longer be required to undertake data protection impact assessments as prescribed in the UK GDPR, but they will be required to ensure there are risk assessment tools in place for the identification, assessment and mitigation of data protection risks across the organisation.’

What the Government says about the inflexibility of DPIAs is wrong – for example, there’s no set form so it can be part of a wider assessment. But let’s not get into that now! Suffice it to say there doesn’t seem much reduction – in fact it arguably seems to increase when organisations need to do risk assessments as an express part of the PMP.

Article 30 Records

The term RoPA has become over-used and can be used to include assets,  and broader information. IN fact, Article 30 of GDPR is called Records of Processing Activities and sets out only a summary set of details on your processing activities.

• It’s not an extensive inventory, and does not call for extensive detail.
• But one needs to do that deeper inventory anyway so you can do your Privacy Policy, Article 30 Records and remediation.

In the government response, they again note that the majority of respondents disagreed with the proposal to remove the requirement to maintain a RoPA. They also note that:

• half of respondents disagreed with the statement that Article 30s were duplicative of Articles 13 and 14 without any particular benefit and in fact felt that the Article 30s provide ‘the fundamental building block which then helps them to comply with the requirements under Articles 13 and 14 to inform individuals about how their data is going to be used and with whom it might be shared’
• Only ‘[a]round a quarter of respondents agreed that there was duplication without any particular benefit.’

Yet the government is going forward with removing Article 30.

And the government itself even states:

‘Organisations will need to have personal data inventories as part of their privacy management programme which describe what and where personal data is held, why it has been collected and how sensitive it is, but they will not be required to do so in the way prescribed by the requirements set out in Article 30.’

Sounds very similar to us – is there in practice any difference? Probably not.

Breaches

On Security , the big proposal was to increase the level of risk that triggers notification of a personal data breach to the UK ICO. That’s not going to happen: everything on breaches, and Security, stays the same.

Transfers

Just as we’re getting decisions on the illegality of Google Analytics from EEA regulators and that there is no risk-based approach to transfers – we’ve a great video on this – the UK government confirms it wants to have a risk-based approach to transfers.

This is setting the UK on a collision course with Europe. We’ll have to wait to see how this ends up in law and how, combined with other changes, it’s seen by the various bodies of the EU in the context of the UK’s adequacy decision under EU GDPR.

What’s not going ahead

The government had also proposed expressly allowing repetitive use of transfer derogations in Article 49, when adequacy or other safeguards are not available. Again, this is contrary to the EU position. This proposal isn’t being pursued.

PECR

Turning to PECR, another big topic in the consultation, we’ve already seen that the category of cookies where consent is not needed is to be increased, similar to what’s being discussed in the EU on the new e-Privacy Regulation.

Other PECR changes going ahead are that:

• the maximum fines will increase to align with GDPR, which most agreed was good, and
• the soft opt-in will be available to non-commercial organisations such as charities and political parties. 

Neither of these are a surprise.

What’s not going ahead

The government is keen to reduce cookie tool use, in fact it says it ‘intends to legislate to remove the need for websites to display cookie banners to UK residents’.

That’s a huge statement but it appears most of this cookie area, including relying on browser settings, will not be progressed right now and will be kept under review. Again, the exact wording in the resulting law will be important. 

Last, let’s take a look at ICO changes – an area many commentators thought, alongside the proposals on transfers, presented a serious risk to adequacy.]

ICO

Many of the proposals for the ICO were about governance and either were not controversial, were in line with other regulators, or codified what happens now in practice. However, two are worth keeping an eye on.

1. The ICO will have its statutory duties, and factors to consider in its actions and decisions, set out in more detail. That’s fine, but they’ll also need to take into account a Statement of Strategic Priorities published by the government, albeit at a level below its statutory strategic aims. 

This is even though the government admitted that ‘[t]he majority of respondents disagreed with this proposal. Concerns were raised that this measure would pose a risk to the ICO’s independence …’

2. The second concern is the government’s proposal to have the ICO’s codes and statutory guidance subject to approval by the Secretary of State. Again, the government acknowledged that ‘[t]he majority of respondents disagreed with this proposal. Respondents mainly highlighted concerns about the risk to the ICO’s independence.’ This proposal is going ahead as well.

As with risk-based transfers, it will be interesting to see how Europe reacts to these limitations on the ICO’s independence.

So there you go!  You now know the key areas of the governments response that, if it makes it into law, will affect your Privacy Governance. 

Future-proof your Privacy with robust Privacy Governance

Keepabl’s multi award-winning intuitive Privacy Management Software gives you an instant Privacy Framework, allowing for the fast creation of your Data Map, Records of Processing, Gap Analysis, Processors, Transfers, Breach Management and more – whether as required under GDPR in it’s current form and any future PMP.

Request your free trial or demo today to see why many organisations are ditching the spreadsheets, or moving away from more complex software, and choosing Keepabl!