Upcoming Changes To The UK’s Data Protection Laws
The Government’s update to the UK’s Data Protection Regime is finally on the move again, with the second Data Protection and Digital Information Bill having passed the second reading in the House of Commons in April. The bill is currently under consideration, and a committee report is expected by mid-June.
Concerns about the maintenance of the adequacy decision – which allows personal data to flow freely between the UK and the EU – have been at the forefront of debate, as removal could mean major regulatory disruption for UK businesses. The government has, however, said that they are working closely with the European Commission.
RELATED ARTICLES:
RELATED RESOURCES:
The UK Government says that the bill should shake up the data protection regime that was introduced in 2018 with the GDPR, moulding the ‘one-size-fits-all’ EU GDPR to UK needs. They say that the new rules aim to reduce red tape for firms and usher in extra protections for customers in the form of bigger fines for nuisance calls and fewer pop-ups. They calculate that the new rules will contribute an additional £4.7 billion to the economy over the next ten years. Billed as the ‘common sense’ answer to the General Data Protection Regulation, for firms the changes are summarised as supporting greater flexibility when it comes to handling personal data.
As currently drafted, there are a number of terminology changes and definition explanations that should provide welcome clarity in some areas. There would also be changes to subject access requests, with firms given greater powers to refuse them. Automated decision-making rules are also set to change, which could have major implications for firms that have experienced red tape around automated decisions. Fully automated decision making related to significant decisions will no longer be prohibited.
Maintaining that all-important adequacy decision will undoubtedly influence future changes to the bill. The EU does have some concerns about proposals to allow ministers to make changes to the regime without parliamentary debate; clarity around the direction of travel given these concerns is expected following the committee report. In other words, more changes are possible.
Likely even, given a number of concerns from business and politics alike. Whereas the bill clarifies some elements of the existing regulation, new terms are vague and difficult to interpret without more information. Subject Access Requests can be refused if they are ‘excessive or vexatious’, examples of which are given; where they are intended to cause distress, not made in good faith, or are an abuse of process. The examples are as vague as the terms, so should the regulations come into force in their current form, there is likely to be some getting used to refusal decision justifications.
So what can we expect data protection to look like in the future?
Firms whose activities don’t pose ‘high risks’ to individual rights and freedoms will no longer be required to keep a record of processing activities. Legitimate interests could also be undergoing a major change. Under the current proposals a balancing test would still be required for basic legitimate interests, but a new legal basis – recognised legitimate interests – would not require a balancing test. This would apply to processing activities to detect, investigate or prevent crime, and to the safeguarding of vulnerable individuals. This will undoubtedly have implications for AML processes, and for the processing of vulnerable customer data.
Firms that are compliant with current data protection rules won’t need to make sweeping changes to their ways of working, but the new legislation will mean that some strategic decisions around automated processing and the processing of special category data will need to be considered, as well as more operational considerations around parameters for subject access requests. The new regime will introduce the new-look ICO as a supportive – rather than a solely disciplinary – organisation, working with firms to protect customer data.
The current bill is facing scrutiny from both UK and EU policymakers, and we’ll help you to stay ahead of any changes as they happen. We support firms with their data protection regimes in a number of ways. We offer online training that interprets the requirements that all staff need to abide by in an easy to understand, relatable way. Priced at £20, the course is accessible at the user’s convenience and provides a certificate upon successful completion: Understanding The Data Protection Regulation (All Staff) 2023.
We will update all of our training and UK GDPR Compliance Resources as any legislative changes happen.
Commentaires