Evolution of the UK GDPR Framework is a hot topic at the moment. The Bill is a proposal and may undergo amendments before receiving Royal Assent. If enacted, it will have a limited impact due to the need to maintain data adequacy with the EU. While the proposed regime may make UK data protection law less prescriptive, companies operating in the UK & Europe may prefer to maintain a single GDPR standard to ensure compliance across the regions.
The UK Government is currently considering the Data Protection and Digital Information (No 2) Bill, which proposes changes to the existing UK General Data Protection Regulation (UK GDPR). The Bill aims to simplify data processes, reduce administrative burdens, and ensure data adequacy with the EU. Let’s explore the key proposed changes and their potential impact.
Proposed Changes in the Bill:
Clarity on ‘Identifiable Living Individual:
- Firstly the Bill provides clearer guidelines on when information qualifies as relating to an identifiable living individual. Furthermore this encompasses situations in which the data controller or processor can identify a person during processing, as well as instances in which data sharing could allow a third party to identify an individual
Regime for Scientific Research and Innovation
- The Bill broadens the definition of scientific research, covering publicly or privately funded research, commercial or non-commercial activities, technological development, fundamental research, applied research, and public health studies in the public interest. These changes aim to facilitate more scientific research, benefiting both academics and commercial organisations.
Processing for Legitimate Interests
- The new bill introduces illustrative instances of activities deemed essential for legitimate interests. These examples include direct marketing, intra-group data transmission, and maintaining network security. However, data controllers must still conduct a balancing test to ensure that individual rights are not outweighed.
Recognised Legitimate Interests
- A concept that eliminates the need for data controllers to carry out a balancing test for certain legitimate interests, including public interests, national security, public security, defence, emergencies, and crime prevention.
Data Subject Rights
- The threshold for data subject requests under UK GDPR will shift from the previous criterion of “manifestly unfounded or excessive” to “vexatious or excessive” bringing it in line with the Freedom of Information regime. This will prevent requests intended to cause distress or made in bad faith.
- The Bill proposes a replacement for existing Article 22, restricting automated decisions that significantly affect data subjects based on special category data or recognised legitimate interests. Decisions solely relying on automated processing will necessitate the implementation of safeguards.
Senior Responsible Individual (SRI)
- It’s likely that organisations will replace the role of the Data Protection Officer. The Senior Responsible Individual, mandated solely for public entities or organisations engaged in high-risk processing.
Amendments to Privacy and Electronic Communications Regulations (PECR)
- PECR will see exemptions to the consent requirement for low-risk activities, such as font settings for displaying on user devices, security updates, and emergency geolocation identification. The Information Commission will align its enforcement powers for PECR breaches with UK GDPR.
Records of Processing of Personal Data
- Only controllers or processors dealing with data that is likely to present a significant risk to individual rights will need to keep records of data processing.
The Regulator – Information Commission
- The Information Commissioner’s Office will be replaced by the Information Commission, subject to greater Parliamentary analysis and the ability of the Secretary of State to issue strategic priorities.
Summary of the Bill:
The UK Government is considering the Data Protection and Digital Information (No 2) Bill, proposing changes to the UK General Data Protection Regulation (UK GDPR). In summary the Bill aims to simplify data processes, enhance scientific research, and clarify legitimate interests while maintaining data adequacy with the EU. Proposed changes include clearer definitions of identifiable living individuals, a new regime for scientific research, examples of processing for legitimate interests, and restrictions on automated decision-making. In addition, the Bill takes a significant step by eliminating the UK representative requirement. Moreover, it introduces a noteworthy change by replacing the role of Data Protection Officer with a Senior Responsible Individual for certain organizations. Furthermore, the Bill brings about exemptions to consent requirements under Privacy and Electronic Communications Regulations (PECR).
Overall the impact of the Bill may be limited due to the growing need to align with EU data protection standards, companies operating in Europe and across multiple territories may prefer to maintain a single GDPR standard.
Trusted Data Protection Compliance Experts Providing Gap Analysis And Compliance Audit Services