Proposed new data protection legislation will have some practical implications for the way businesses store and share personal and sensitive information.
We’ve all heard of GDPR – the piece of European law responsible for data transparency and making sure we have privacy policies, the need to “opt in” for email communications and the threat of draconian fines for data breaches.
Post-Brexit, the main principles of the GDPR were transcribed into UK law under the UK GDPR and under the Data Protection Act 2018. However, the government is proposing to make some tweaks to clarify certain provisions of data protection obligations that businesses should be aware of.
These amendments are outlined in the UK Data Protection and Digital Information Bill, currently in consultation. The proposals in the Bill could still change before it is passed into law, but it’s helpful for businesses to know about its possible impact so they can make any necessary preparations.
What is the UK Data Protection and Digital Information Bill?
The Bill is intended to maintain the high standards of data protection legislation but in a way that is more practical and easier to handle for UK businesses – part ticularly, for smaller businesses which process smaller amounts of personal data and in lower risk situations.
The UK Government and Information Commissioner’s Office (ICO, which oversees data protection in the UK) have indicated that if businesses operate in both the EU and UK and follow EU GDPR rules, then they will generally be compliant with the requirements of the new Bill. However, businesses operating only within the UK will find some less onerous requirements in the new Bill which will help to cut down on administration and make life easier.
What are the main changes for UK businesses?
The Data Protection Bill contains several proposed changes, and we have summarised some of the key changes in this piece. The full list of changes and the latest information on the Bill can be found on the Government’s website here.
The main changes affecting UK businesses if the Bill becomes law in its current form would be:
Legitimate interest
If you send marketing emails to former or potential customers, then it is likely that the legal basis for doing so would be under the business’ legitimate interest in keeping in touch with or trying to increase custom.
The Bill specifically spells out that ‘legitimate interest’ covers data processing relating to direct marketing which is defined as advertising or marketing material. Businesses now have peace of mind that sending marketing emails is now legitimate under the Bill and is a lawful basis for processing such data.
Soft opt-in for marketing
Businesses are currently allowed to assume a ‘soft opt-in” which allows them to keep in touch with existing customers without them having specifically opted in to receive marketing communications. The Bill extends this to political parties and non-commercial organisations such as charities which currently cannot rely on the soft-opt in. Users must, of course, be given the option to opt out of communications at any time.
Data Subject Access Requests (DSARs)
Any individual has the right to ask a business what data is being held about them, and the business must disclose it – a process known as a Data Subject Access Request. Occasionally this right can be abused by applicants with an axe to grind.
The Bill allows businesses to refuse a request, or charge a reasonable fee, to grant requests for information if the request is “vexatious or excessive” – a slightly lower bar than the GDPR wording “manifestly unfounded or excessive”.
Data Protection Officers (DPOs)
The Bill no longer requires certain businesses to have a Data Protection Officer but requires that organisations appoint a “senior responsible individual" (SRI) if a business carries out high risk processing. There are no set criteria in the Bill for what constitutes “high risk”, but the Information Commissioner’s Office will publish examples of processing types it considers likely to be high-risk for this purpose. This is likely to be along the lines of the current Data Protection Officer requirements of being a public body or the regular and systematic processing of personal data on a large scale – for example, by a HR service provider.
Data Protection Impact Assessments
The Bill confirms the Information Commissioner’s guidance that Data Protection Impact Assessments will only be required for activities deemed ‘high risk’. Again, the Bill does not clarify what will be considered high risk processing, however the ICO will publish examples to illustrate what is meant by ‘high risk’.
The same will go for Records of Processing Activities (ROPAs), widely required under data protection laws, but will only be necessary under the Bill’s proposals for likely high-risk processing, with the ICO again publishing examples.
Cookie law
The Bill slightly relaxes the GDRP standard on cookies – tiny bits of data held on computers and devices that track a user’s activity. The Bill will permit the storage of cookies and access to the information they hold for the purposes of improving a service – as long as the user is informed and has the right to opt out. Other activities such as authenticating identity to detecting fraud will now be considered as “strictly necessary” and may not require the user’s consent.
Our advice
The clarifications and relaxed obligations are welcomed and it is hoped that the changes will reduce administration and compliance costs. Ultimately, the Bill maintains the level of protection of personal data under the current UK GDPR regime and therefore businesses will still need to be aware of what data they process, and ensure they inform users of how they process their data.
For now, until the Bill becomes law, businesses should ensure they abide by the requirements of the UK GDPR for UK based processing and the EU GDPR for UK and EU processing of data. Organisations should seek legal advice if they fear a breach or if they need to clarify whether their data handling is compliant.
The Thrings Commercial team includes data protection specialists who can advise you on compliance, protecting privacy and dealing with any potential breaches. See more about the team here.
