March 2, 2022
The government’s aim, to reduce barriers to innovation, has been welcomed by many businesses but other stakeholders also recognise how the proposed regime would reduce the protection afforded to individuals.
Some of the proposals are cosmetic, but others, if adopted, would change the UK data protection legislation in a more radical way.
For example, the suggestions on replacing Data Protection Impact Assessment (DPIA), and the central record of processing, with more general requirements to identify and minimise data protection risks would take the UK a step away from the GDPR and its European counterparts.
With the ultimate goal being to facilitate AI, the proposals would also remove the Article 22 right in the UK GDPR not to be subject to a decision based solely on automated processing.
The proposals would also slap a fee on Subject Access Request, bring the Privacy and Electronic Communications Regulations’ enforcement regime in line with the UK GDPR and the Data Protection Act, and make changes to the ICO’s governance model which would affect its independence.
The government says that organisations will benefit from being required to develop and implement a risk-based privacy management programme.
Importantly, the proposals would also REMOVE the role of the DPO, to be replaced with a suitable individual responsible for the privacy management programme.
The proposals do not discuss European representatives. It is our understanding though that nothing would change for UK companies offering goods or services to individuals in the EEA; or monitoring the behaviour of individuals in the EEA, as they would still need to comply with the EU GDPR regarding their processing.
What is being proposed
Chapter 2.2 in the government’s consultation document Data: New Direction includes the proposals on reforming the accountability framework.
The privacy management programme would cover:
I. The roles and responsibilities within the organisation in relation to personal data protection, including who is designated as the responsible individual(s) for the privacy management programme and overseeing the organisation’s data protection compliance. The designated individual(s) will also be responsible for representing the organisation to the ICO and data subjects where necessary. The legislation would not prescribe the specific requirements needed for the role(s) and an organisation would have discretion over appointments, including by being able to determine the appropriate skills, qualifications and position needed for the role(s), taking account of the volume and sensitivity of the personal information under its control, and the type(s) of data processing it carries out.
II. Evidence that oversight and support from senior management, and appropriate reporting mechanisms to senior management, are in place, and how the organisation ensures its staff understand key data protection obligations, policies and processes.
III. Measures which assist the designated responsible individual(s) for structuring an appropriate privacy management programme and demonstrate the organisation is compliant with data protection legislation.
It is rather odd that just when the DPO role has been professionalised with many training opportunities and appropriate supportive bodies, the UK thinks this role does not need to be included as a legal requirement.
However, any DPO working in this field will recognise the above tasks as largely the same ones that they are currently responsible for. So why the change?
The UK government says that the current requirements do not necessarily drive the intended outcomes of the legislation: ‘Some organisations may struggle to appoint an individual with the requisite skills and who is sufficiently independent from other duties, especially in the case of smaller organisations.’
It is recognised, however, that some organisations may still choose to designate an individual to perform a role similar to that of a Data Protection Officer in order to independently monitor and assess the organisation’s data protection compliance. However, this would need to be in addition to the ‘responsible individual’.
The government is now analysing the 3000 or so responses it has received to the consultation. Its response should be published this spring, and a White Paper is expected later this year.
While not all of the proposals will be adopted, it is clear that the UK is now on a post-Brexit path to diverge from the GDPR. Recently, the government announced a ‘Brexit Freedoms Bill’ designed to end the special status of EU law and ensure that it can be more easily amended or removed, and issued a policy document entitled ‘The Benefits of Brexit’. Data protection is one of the Brexit outcomes that the government is keen to showcase as ‘real change’.
While businesses may be largely supportive of efforts to cut red tape, it remains to be seen how these changes will affect UK’s EU adequacy for data transfers – a very important aspect for companies large and small. The consultation document does not – surprisingly – touch on this point.
See the consultation document here.
Follow us on Linkedin for daily breaking GDPR news!
Get our weekly newsletter in your inbox every Monday with fresh GDPR and Data Protection news!