How will the UK Data Reform Bill affect me and my business?

?How will the UK Data Reform Bill affect me and my business?

What is it?

On June 17th 2022, the UK government released the UK Data Reform in response to consultations held between September and November 2021.

This consultation ran for ten weeks, closing on 19 November 2021. The consultation received 2,924 responses, 684 via email and 2,240 via our survey platform. Responses were received from the Information Commissioner’s Office and organisations representing a cross-section of the UK economy and society, as well as from overseas organisations.

During the consultation period, the government engaged with various stakeholders, including over 40 roundtables with academia, tech and industry bodies, and consumer rights groups, providing a wide range of views.

The complete response can be read HERE . This blog serves to dissect, interpret and narrow down the bill's scope and put it into plain English.

All interpretations are my own at the time of writing this blog and should in no way be taken as legal advice. You should seek the correct expertise or legal advice if you are unsure how to implement any changes required in your business.

Introduction and summary

The response includes

·??????an introduction and summary explaining what the reform plans,

·??????how the consultation worked,

·??????responses received and concerns

During the introduction, the response talks of a “reshape to its approach to regulation outside the EU", meaning that the UK wishes to draft its own data laws and not be tied to EU law post-Brexit.

The response also talks of current “inappropriate barriers to the flow of data” and its “international commitments to the free flow of data.”

This is an interesting use of language because it hints at a more open playing field for transferring data to countries outside of the UK. The GDPR restricts data transfer without an appropriate safeguard, and the recent ruling that the use of Google Analytics is unlawful has put a sharp focus on where data is stored.

The UK seems to be paving the way for data transfer to be less restrictive. This will lead to less scrutiny being placed upon 3rd parties and suppliers who process data outside of the UK.

Alternative Transfer Mechanisms (ATMs) were mentioned.

A further swipe at the EU GDPR was taken toward the end of the introduction when the response stated, ”UK scientists are no longer impeded by overcautious, unclear EU-derived rules”.

Legal requirements will be simplified for scientific purposes, meaning that scientific research will be less restricted when processing data.

The response continues to state that they will maintain these important principles:

·??????High standards

·??????A future-proofed regime that avoids tick boxes

·??????A limited number of new requirements

·??????Concrete advantages for the UK

·??????ICO reforms

The response states that “almost all organisations that comply with the UK’s current regime will comply with our future regime.”

This will be welcome news to companies who have spent and continue to spend thousands of pounds on their compliance landscape.

The response also claims that they believe the UK will continue to be granted an adequacy rating for data transfers from the EU into the UK.

?The introduction provides an executive summary of each of the five chapters and a summary of responses and concerns that were highlighted during the consultations.

?Overall highlights

?Each of the five chapters' key elements is highlighted throughout this report. The key highlights across all five chapters include:

?·??????Scientific research to be clarified

·??????A Legitimate Interest Balancing test exemption list will be published

·??????The use of AI to be updated, clarified and included in the new reform

·??????Anonymised data to be clarified

·??????Privacy Enhancing technologies will be discussed alongside other tools that will assist data processing

·??????Businesses will be incentivised to invest in governance, tools, policies and people

·??????A flexible accountability framework will be introduced

·??????DPO requirement to be removed

·??????DPIA requirement to be replaced with a risk assessment

·??????ROPA requirement to be replaced with a flexible record-keeping solution

·??????One size fits all approaches will be eradicated

·??????Compliance with the GDPR will lead to less significant changes

·??????Cookie banners will not be required

·??????Cookie consent will be replaced with an opt-out mechanism for all non-essential cookies

·??????PECR fines to increase in line with GDPR fines

·??????International data transfers will be easier

·??????Public sector data sharing to be made easier

·??????The ICO will be reformed

Chapter one

Chapter one is titled “Reducing barriers to responsible innovation” and sets out plans to ensure processing for scientific research is easier and less restricted.

The key highlights of the chapter include:

·??????Recital 159 of the GDPR will be moved to the operative text. This will define and give greater clarity to what scientific research is defined as

·??????No new lawful basis will be created for processing data for scientific research

·??????Controllers processing data for a research purpose that differs from the original purpose (re-use) will be exempt from re-providing information under Article 13

·??????Article 13 says that information should be provided when collecting data from an individual

·??????Re-use will be clarified in the new bill, and further clarity will be provided as to what constitutes new processing vs further processing

·??????The government will codify that further processing or re-use will not be permitted when consent is the lawful basis

·??????The government will introduce a list of activities where a legitimate interest balancing test (LIA) will not be required when relying on legitimate interests as a lawful basis

·??????AI was discussed at length, “the government will consider the role that fairness should play in wider AI governance as part of the white paper on AI governance but does not currently plan to legislate on this”

·??????The government plans to introduce a new condition to Schedule 1 of the DPA 2018 to enable the processing of sensitive personal data for the purposes of monitoring and correcting biased AI systems

·??????Proposals to remove human interaction from automated decision making will not be pursued

·??????Clarity around what constitutes anonymised data will be included in the bill, making it easier for companies to identify anonymised vs pseudonymised data

·??????The government plans to explore opportunities to advance Privacy Enhancing Technologies (PETs)

·??????Data Intermediaries were discussed as innovative data sharing solutions

·??????The government will consider non legislative action, including clarifying intermediaries' rights and supporting them further

·??????There are no immediate plans to change the lawful basis for sharing data with intermediaries

Chapter 1 essentially sets out provisions to make processing data for scientific research easier whilst nodding toward AI as a solution likely to be taken up by more companies as time progresses by adding an additional condition for processing sensitive data.

Legitimate interests will be easier to rely upon without the need to complete a balancing test, thus tempting companies to move away from another lawful basis that could be more suitable.

Anonymised data will be clarified, this could lead to added restrictions and safeguards to ensure data is fully anonymised, but it is likely that the rules around what constitutes genuinely anonymised data will be relaxed, making it easier for companies to badge data as anonymised. ?

The use of PETs is likely to be encouraged, leading to further nods toward the use of technology. Technology will have its place, and the hope is that PETs aren’t encouraged in place of human oversight toward data management.

Intermediaries may be looked at as solutions to transfer data. If managed correctly, this would hopefully ensure secure data transfers and sharing.

Chapter two

Chapter two is titled Reducing burdens on businesses and delivering better outcomes for people and discusses reform of the accountability framework.

The key highlights of the chapter include:

·??????Development of a regime that incentivises investment in governance, policies, tools, people and skills

·??????A flexible accountability framework to be introduced based on:

o??Leadership and oversight

o??Risk assessment

o??Transparency

o??Training and awareness of staff

o??Monitoring, evaluation and improvement

·??????Removing the requirement to appoint a DPO and replacing them with a suitable senior individual

·??????Replacing Data Protection Impact Assessments (DPIAs) with risk assessments

·??????Replacing the Record of Processing Activities (ROPA) with a more flexible record keeping requirement

·??????Flexibility to allow organisations to focus their resources more effectively

·??????Privacy management programs will eradicate a one size fits all approach

·??????Organisations that comply with the GDPR will not need to significantly change their approach

·??????Organisations that process highly sensitive information will need to be more robust

·??????The new regime will mirror the current maximum sanctions of ￡8.7m or 2% (whichever is greater)

·??????Removal of the mandatory requirement to consult the ICO if the risks involved in high risk processing cannot be mitigated

·??????The mandatory requirement will be replaced with a voluntary mechanism which will be taken into account as a mitigating factor during a future investigation

·??????A voluntary undertaking process similar to that used in Singapore will not be pursued

·??????No changes will be made to how a breach should be reported

·??????The language used to reject a Subject Access Request (SAR) will change to vexations or excessive to be in line with the Freedom of Information regime

·??????There will be no re-introduction of the fee to make a SAR

·??????Sectoral needs (Healthcare etc.) will be considered by the government as well as SME businesses concerning SAR responses

·??????Cookie pop up banners are seen to be an annoyance to UK residents

·??????The need to display a cookie banner to UK residents will be removed

·??????In the immediate term, non-intrusive cookies will be allowed to drop without consent

·??????Consent for cookies will be replaced with an opt-out model for UK residents

·??????Explicit opt-out information must be available

·??????The opt-out model will not apply to websites accessed by children

·??????The soft opt-in has been extended to non commercial organisations

·??????Action is to be taken against volumes of nuisance calls. At present, action is only taken against connected nuisance calls

·??????A duty will be put upon communications providers to report nuisance call volumes

·??????The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act and the UK GDPR. They give people specific privacy rights concerning electronic communications

·??????PECR maximum fines will rise from ￡500k to ￡17.5m or 4% of global turnover (whichever is greater)

·??????The ICO will be given powers to serve assessment notices and carry out audits as they see fit

·??????The government are ‘minded’ to make changes to the list of lawful basis for processing for political purposes

·??????The consolidation of the UK GDPR, DPA 2018 and PECR is a ‘future issue’ and will not happen alongside this reform

Chapter two will perhaps give the five chapters' most significant cause for concern and debate.

Whilst the response states that companies who currently comply will not need to make significant changes, there will be concern amongst UK businesses that this reform represents an additional change to how they manage data, having been through significant changes in the run-up to and since GDPR being enforced.

Removing the DPO requirement will be great news to companies who feel they do not need one but must hire or outsource a DPO at additional cost. That said, the DPO must be replaced with an appropriate senior individual who will be responsible for the tasks of a DPO.

This could lead to two issues:

1.???The removal of an internal or outsourced DPO could remove data protection knowledge that is key to ensuring a business manages data effectively, and

2.???The responsibilities placed on a senior member of an organisation should they decide to do away with their DPO could be put too much strain and burden on one person, leading to a lack of data management

The removal of a DPO should be handled very carefully, with all potential risks evaluated. An understanding of the requirements of a senior individual should also be looked at very carefully.

DPIAs being replaced with risk assessments is not a massive change in itself, as a DPIA is a risk assessment. The most significant change could be assessing all risks under the new assessment tool, whereas a DPIA is only required for high risk processing.

The replacement of a ROPA will be welcome as a ROPA has often been seen to be restrictive and clunky to use, especially the ICO’s template. Flexible record keeping is yet to be defined. It is likely that a well worked and maintained ROPA would be equally as effective as any new record keeping tools and equally as compliant. We await an update on this.

The need to display a cookie banner and the shift to an opt-out mechanism for analytics cookies is likely to cause some concern.

I have long said that cookie banners are an annoyance. In some cases, they are as intrusive as the cookies themselves. However, the ability to add whatever cookies you like to your website and remove consent and an easy mechanism to reject cookies could lead to an avalanche of intrusive, tracking cookies to be added to the biggest and most frequently visited UK websites.

This leads me to believe that the government has decided to take an easy approach to managing cookies rather than upholding the law and enforcing poor cookie management, which could take significant time and effort. EU regulators such as the CINL in France have taken a hard line on cookies, and it appears that the UK has decided firmly against a similar stance.

The soft opt-in will be extended to non commercial organisations. This will be excellent news to the charity sector, which can now rely on the soft opt-in to send marketing to anyone who has donated to them and provided the requisite communication details.

This is a positive step forward. The soft opt-in allows organisations to market similar products to those who have previously purchased an item or services from them. It makes sense to enable charities the same flexibility in their marketing.

The government is ‘minded’ to add an extra lawful basis for political processing. This would appear to be a way for political parties to process data during campaigns without applying the law.

I see this as lazy law making. In my opinion, political parties can easily find a way of legally processing data under the GDPR, and a new lawful basis does not need to be considered. We await the final draft to see if their minded approach has taken an extra step forward.

It seems that a consolidation of the UK GDPR, DPA 2018 and PECR incorporating the reforms set out in these responses would make perfect sense for UK Business.

One law that covers everything to make it easy for organisations to follow. This whole reform is in response to simplifying UK data protection.

However, the government sees this as a future issue. This suggests even further changes and upheaval down the line and does not follow the ideas of this reform being future proof.

Chapter three

Chapter three is titled Boosting trade and reducing barriers to data flows and discusses how data should flow from and to the UK under the new regime.

The key highlights of the chapter include:

·??????The intention is to create an autonomous framework for international data transfers that reflects the UK’s independent approach to data protection (meaning that it intends to move away from the EU GDPR’s restrictions on data flows to the likes of the USA)

·??????The framework will be driven by outcomes and will take an agile approach

·??????It will focus on risk based decision making

·??????The new reform aims to retain the same standard that a country needs to meet to be found adequate

·??????The adequacy rating will impact the UK's ability to receive data from the EU

·??????There are no immediate plans to make any changes to adequacy for groups of countries, regions or multilateral frameworks

·??????The government will relax the requirement to review a country's adequacy rating every four years

·??????Alternative transfer mechanisms are to be introduced with a pragmatic and proportionate approach to transfers being supported

·??????Legislative reform is not planned for reverse transfers

·??????There are no plans to pursue adaptable transfer mechanisms which would allow a company to create their own mechanism

·??????The secretary of state will be permitted to create a new UK mechanism for transferring data

·??????No changes are planned to certification schemes, but the government will consider other approaches to certification schemes in future

·??????No plans to pursue reform to the repetitive use of derogations

Essentially, this chapter is pathing the way for the UK to provide adequacy ratings and, therefore, free passage of data to countries that do not currently have an adequate rating under EU law.

The USA, Australia, and any other country that the UK wishes to trade with or crate a trade deal will likely be given an adequacy rating.

This links with removing consent for analytics, as the biggest analytics providers are based in the US. Allowing them to place analytics cookies on UK websites and collect data to be processed in the US sits nicely with an adequacy rating to allow the transfer without further complicated paperwork.

Adequacy ratings being given to countries outside of the current EU adequacy list could lead to the UK’s own EU adequacy rating being revoked. This response claims otherwise, but this may be a factor in future.

The current safeguards and transfer mechanisms in the GDPR are clear. They hold very little ambiguity. A move to risk assessments could put the onus on a company to decide if they should transfer data to a 3rd party or not. This directly contradicts the reform being easier and clearer to operate within.

Whilst these changes will be welcome news to businesses who transfer data outside of the UK, and they could lead to data being less protected and more vulnerable if transfers are made so easy that little thought needs to be put into them.

?

Chapter four

Chapter four is titled Delivering better public services and discusses processing data for the public interest.

The key highlights of the chapter include:

·??????The government will support data sharing in the public sector to improve public services

·??????This will not assist sharing of data with private sector organisations

·??????Legislation is planned to clarify which lawful grounds for processing are available to organisations when they are asked to perform processing data to help deliver a public task

·??????There are no plans to change the way health data is processed in an emergency for organisations outside of the healthcare sector

·??????No changes are planned to change the transparency mechanism for algorithms

·??????The government will not further define what substantial public interest means at this time

·??????The government is giving thought to provisions to add to or amend the list of specific situations in Schedule 1 of the DPA 2018

·??????The government will work with the police force to promote high standards and best practice

·??????The government is considering allowing law enforcement sectors to produce codes of conduct

Depending on your point of view, this chapter is a positive for public sector data processing. The ability of public sector bodies to share data more freely could assist the public in many ways.

There should be caution, however, so that any new or revised ways to share data are not abused, and that data is kept safe and secure.

?

Chapter five

Chapter five is titled Reform of Information Commissions Office and discusses changes outlined to reform the ICO by:

·??????setting new and improved objectives and a clearer strategic vision for the regulator

·??????changes to its governance model, improving accountability mechanisms, and extending its investigatory powers

·??????refocusing its statutory commitments away from handling a high volume of low-level complaints and towards addressing the most severe threats to public trust and inappropriate barriers to responsible personal data use

The key highlights of the chapter include:

·??????A new statutory framework will be introduced to set out the strategy, objectives and duties of the ICO

·??????An overarching objective will be introduced to include two components related to upholding data rights and encouraging trustworthy and responsible use of data

·??????The ICO will have regard to competition, growth and innovation

·??????The government will introduce a statement of strategic priorities (SSP) to the ICO

·??????The government will not introduce information sharing gateways with other regulators

·??????The ICO will not be required to deliver an international strategy

·??????A new governance model will be introduced

·??????The role of Chief Executive will not be appointed via a public appointment process and will be appointed by the ICO’s board in consultation with the Secretary of State

·??????Parliamentary approval for the salary of the Information Commissioner will be removed

·??????The government is considering options to rename the ICO

·??????Legislative reporting requirements will be introduced

·??????Plans to empower the Secretary of State to review the ICO independently will not be pursued

·??????The ICO will continue to produce codes of practice

·??????The ICO will be required to publish impact assessments when developing codes of practice

·??????A panel of experts will be set up to review the impact assessments

·??????The Secretary of State will approve ICO codes of practice

·??????Updates will be made to the way individuals can make a complaint to the ICO

·??????Updates will be made to the enforcement powers of the ICO and the transparency of enforcement

·??????The government is considering whether the ICO could carry out some of the Biometrics and Surveillance Camera Commissioner's ancillary activities

A reform of the ICO will be welcome news to many people, particularly privacy professionals.

The ICO has been seemingly reluctant to enforce the GDPR, and it makes sense to reform the way that the ICO runs and operates. The conditions set out would indicate that the government wants to keep a keen eye on how the ICO operates.

What’s next?

The reform will be put through parliament and voted on before becoming law. Some areas need clarification, and the final draft will likely vary slightly from this initial response.

The only immediate change highlighted is the ability to place non-intrusive, non-essential cookies onto a website without consent. Otherwise, the changes will come into effect when the bill is passed.

It is possible that once the bill is passed as law, companies will have a grace period to comply. This would be in line with the GDPR, which was law in 2016 but enforced in 2018.

If you are concerned, have a question or would like to discuss this further, please contact me on 07825880538 or email [email protected], and I will happily spare you some time to discuss these changes with zero obligation attached.