There’s no change to what is or isn’t personal data and no change to territorial scope. If UK GDPR, DPA or PECR apply to you now, that won’t change.
A few minor changes in practice. The government will push forward with clarifying certain themes in the law itself. Some of this may simply move wording from recitals into definitions, some will need more. None of this should have a major effect on your practical compliance.
Research was a big area in the consultation. The main items moving forward are:
Linked to research, there’s going to be clarification of what constitutes re-purposing as opposed to further processing, plus two specific changes:
On anonymisation, the government wants to clarify ‘when a living individual is identifiable’, that the test for identifiability is a relative one, and is based on the wording in the Explanatory Report to the Council of Europe’s Convention 108+ (see page 18) including:
‘Data is to be considered as anonymous only as long as it is impossible to re-identify the data subject or if such re-identification would require unreasonable time, effort or resources, taking into consideration the available technology at the time of the processing and technological developments.’
There’ll be no definition of ‘substantial public interest’.
So what about the core rules of GDPR, its principles and legal bases?
Easy – there’ll be NO change to GDPR’s Principles. These will continue to drive your Privacy Governance. No surprise here, they’re contained one way or another in the OECD Guidelines and Convention 108.
And there’ll be NO new legal bases in GDPR either, but … how and when you can use some of them will slightly change. There’s also be some changes to the conditions on processing special category personal data in AI, which will go into Schedule 1 of the UK DPA.
Let’s take a closer look.
There will be a list of activities where the Legitimate Interest balancing test is not required, but:
On cookies you generally need to obtain Consent apart from a tightly-defined category of cookies that are necessary for delivering a communication or requested ‘information society service’, basically an online service. Currently, for that ‘strictly necessary’ subset, and that subset alone, you can use Legitimate Interests.
The government’s response on cookies wants to extend the category of cookies where consent is not needed to include traffic and performance cookies.
The proposals on banning cookie banners, and moving to an opt-out system will wait until technology allows for users to easily signals their preferences through, for example, their browse. We’re not there yet.
The government plans to clarify which lawful grounds for processing are available to organisations under Article 6 of the UK GDPR when they are requested by a public body to help deliver a public task.
In particular they want to clarify when private entities can rely on the public task ground in Article 6(1)(e) when they’re acting on behalf of a public entity in performing its tasks. This will be very helpful to a small set of businesses.
There’ll be a new condition in Schedule 1 of the UK DPA to enable the processing of sensitive personal data for the purpose of monitoring and correcting bias in AI systems (this won’t be in the ‘Legitimate Interests list’, so balancing tests will still need to be done if LI is relied on).
The government’s response uses ‘sensitive personal data’ which typically means both special categories and criminal, but we’ll need to wait to see the wording.
Let’s turn to data subject rights, or DSRs, which was another high-profile part of the consultation.
There are 2 main things to note on DSRs:
On Artificial Intelligence or AI, we’ve already covered the only main item going ahead:
Things that aren’t going ahead (or fully or at least right now):
Accountability is the area with the biggest practical changes – but then again, maybe not!
The DCMS consultation paper says (para 158): ‘… a strong privacy management programme is likely, in practice, to exhibit many of the same features as the current legislation …’.
There’s no change to security obligations, use of processors, joint controllers and more. So where ARE the issues? Well, it’s DPOs, DPIAs, and Article 30 Records of Processing Activities or RoPAs. Let’s see what’s being moved forward.
Even though the government says the majority of responses disagreed with removing DPOs, they’re pressing ahead anyway. DPOs will be replaced with a ‘new requirement to appoint a senior responsible individual’ to oversee Data Protection.
Many think that the ‘no conflict rule’ has been a fatal flaw in the DPO regime: it’s incredibly hard for anyone appropriate in an organisation not to be conflicted, and external DPOs can often be pressured to do work that creates such a conflict.
But this proposal seems – if anything – to make it harder for UK organisations.
And the Government response says ‘Most of the tasks of a data protection officer will become the ultimate responsibility of a designated senior individual to oversee as part of the privacy management programme.’
At the moment, the consultation seems to set out more express obligations for (possibly) more organisations than the DPO requirements and accountability rules in GDPR.
We’ve already seen that risk assessments will still be needed – as appropriate. But then DPIAs aren’t always needed under GDPR at all, they’re only needed when there’s a likely high risk to data subjects rights and freedoms.
In their response, the Government notes, again, that the majority of respondents agreed that DPIA requirements are helpful and disagreed with the proposal to remove them – but they’re going forward to remove them anyway.
The government says:
‘Under the new privacy management programme, organisations will still be required to identify and manage risks, but they will be granted greater flexibility as to how to meet these requirements. For example, organisations will no longer be required to undertake data protection impact assessments as prescribed in the UK GDPR, but they will be required to ensure there are risk assessment tools in place for the identification, assessment and mitigation of data protection risks across the organisation.’
What the Government says about the inflexibility of DPIAs is wrong – for example, there’s no set form so it can be part of a wider assessment. But let’s not get into that now! Suffice it to say there doesn’t seem much reduction – in fact it arguably seems to increase when organisations need to do risk assessments as an express part of the PMP.
The term RoPA has become over-used and can be used to include assets, and broader information. IN fact, Article 30 of GDPR is called Records of Processing Activities and sets out only a summary set of details on your processing activities.
In the government response, they again note that the majority of respondents disagreed with the proposal to remove the requirement to maintain a RoPA. They also note that:
Yet the government is going forward with removing Article 30.
And the government itself even states:
‘Organisations will need to have personal data inventories as part of their privacy management programme which describe what and where personal data is held, why it has been collected and how sensitive it is, but they will not be required to do so in the way prescribed by the requirements set out in Article 30.’
Sounds very similar to us – is there in practice any difference? Probably not.
On Security , the big proposal was to increase the level of risk that triggers notification of a personal data breach to the UK ICO. That’s not going to happen: everything on breaches, and Security, stays the same.
Just as we’re getting decisions on the illegality of Google Analytics from EEA regulators and that there is no risk-based approach to transfers – we’ve a great video on this – the UK government confirms it wants to have a risk-based approach to transfers.
This is setting the UK on a collision course with Europe. We’ll have to wait to see how this ends up in law and how, combined with other changes, it’s seen by the various bodies of the EU in the context of the UK’s adequacy decision under EU GDPR.
The government had also proposed expressly allowing repetitive use of transfer derogations in Article 49, when adequacy or other safeguards are not available. Again, this is contrary to the EU position. This proposal isn’t being pursued.
Turning to PECR, another big topic in the consultation, we’ve already seen that the category of cookies where consent is not needed is to be increased, similar to what’s being discussed in the EU on the new e-Privacy Regulation.
Other PECR changes going ahead are that:
Neither of these are a surprise.
The government is keen to reduce cookie tool use, in fact it says it ‘intends to legislate to remove the need for websites to display cookie banners to UK residents’.
That’s a huge statement but it appears most of this cookie area, including relying on browser settings, will not be progressed right now and will be kept under review. Again, the exact wording in the resulting law will be important.
Last, let’s take a look at ICO changes – an area many commentators thought, alongside the proposals on transfers, presented a serious risk to adequacy.]
Many of the proposals for the ICO were about governance and either were not controversial, were in line with other regulators, or codified what happens now in practice. However, two are worth keeping an eye on.
1. The ICO will have its statutory duties, and factors to consider in its actions and decisions, set out in more detail. That’s fine, but they’ll also need to take into account a Statement of Strategic Priorities published by the government, albeit at a level below its statutory strategic aims.
This is even though the government admitted that ‘[t]he majority of respondents disagreed with this proposal. Concerns were raised that this measure would pose a risk to the ICO’s independence …’
2. The second concern is the government’s proposal to have the ICO’s codes and statutory guidance subject to approval by the Secretary of State. Again, the government acknowledged that ‘[t]he majority of respondents disagreed with this proposal. Respondents mainly highlighted concerns about the risk to the ICO’s independence.’ This proposal is going ahead as well.
As with risk-based transfers, it will be interesting to see how Europe reacts to these limitations on the ICO’s independence.
So there you go! You now know the key areas of the governments response that, if it makes it into law, will affect your Privacy Governance.
Keepabl’s multi award-winning intuitive Privacy Management Software gives you an instant Privacy Framework, allowing for the fast creation of your Data Map, Records of Processing, Gap Analysis, Processors, Transfers, Breach Management and more – whether as required under GDPR in it’s current form and any future PMP.
Request your free trial or demo today to see why many organisations are ditching the spreadsheets, or moving away from more complex software, and choosing Keepabl!
We were delighted to be joined in Privacy Kitchen by Chris Taylor, the UK ICO’s Head of Assurance whose team set up the ICO Sandbox, manages the ICO’s guidance and…