Understanding the UK GDPR Data Protection Bill
The UK GDPR Bill is a proposal and may undergo amendments before receiving Royal Assent. If enacted, it will have a limited impact due to the need to maintain data adequacy with the EU. The proposed regime may make UK data protection law less prescriptive. However, Companies operating may prefer to maintain a single GDPR standard to ensure compliance across the regions.
The UK Government is currently considering the Data Protection and Digital Information (No 2) Bill. Which proposes changes to the existing UK General Data Protection Regulation (UK GDPR). The Bill aims to simplify data processes, reduce administrative burdens, and ensure data adequacy with the EU. Let’s explore the key proposed changes and their potential impact.
Proposed Changes in the UK GDPR Bill:
Clarity on ‘Identifiable Living Individual:
- The Bill provides clearer guidelines on when information qualifies as relating to an identifiable living individual. It includes cases where a person can be identified by the data controller or processor at the time of processing. It also incorporates when a third party could identify an individual through data sharing.
Regime for Scientific Research and Innovation:
- The Bill broadens the definition of scientific research. This covers all research types: public/private funding, commercial/non-commercial, tech development, fundamental/applied research and public health, for public benefit. These changes aim to facilitate more scientific research, benefiting both academics and commercial organisations.
Processing for Legitimate Interests:
- The Bill introduces examples of activities that are considered necessary for legitimate interests. This includes activities such as direct marketing, intra-group data transmission, and ensuring network security. However, data controllers must still conduct a balancing test to ensure individual rights are maintained.
“Recognised Legitimate Interests”:
- A concept that eliminates the need for data controllers to carry out a balancing test for certain legitimate interests. This includes public interests, national security, public security, defence, emergencies, and crime prevention.
Data Subject Rights:
- The threshold for data subject requests previously “manifestly unfounded or excessive,” will be changed to “vexatious or excessive”. Aligning it with the Freedom of Information regime. This will prevent requests intended to cause distress or made in bad faith.
- The Bill proposes a replacement for existing Article 22. Restricting automated decisions that significantly affect data subjects based on special category data or recognised legitimate interests. Safeguards will be required for decisions based solely on automated processing.
UK Representative Requirement Removed:
- Non-UK-based controllers and processors will no longer need to appoint a UK representative. Article 27 of the UK GDPR will be removed.
Senior Responsible Individual (SRI):
- The traditional role of the Data Protection Officer will be replaced with a Senior Responsible Individual. Required only for public bodies or high-risk processing organisations.
Amendments to Privacy and Electronic Communications Regulations (PECR):
- PECR will see exemptions to the consent requirement for low-risk activities. Such as font settings for displaying on user devices, security updates, and emergency geolocation identification. The Information Commission’s enforcement powers for PECR breaches will be aligned with UK GDPR.
Records of Processing of Personal Data:
- Controllers or processors handling data likely to pose a high risk to individual rights must maintain records of data processing.
The Regulator – Information Commission:
- The Information Commissioner’s Office will be replaced by the Information Commission. Albeit subject to greater Parliamentary analysis and the ability of the Secretary of State to issue strategic priorities.
Summary of the UK GDPR Bill:
The UK Government is considering the Data Protection and Digital Information (No 2) Bill. The Bill aims to simplify data processes, enhance scientific research, and clarify legitimate interests while maintaining data adequacy with the EU. The Bill also eliminates the UK representative requirement, replacing the role of Data Protection Officer with a Senior Responsible Individual for certain organisations Additionally it introduces exemptions to consent requirements under Privacy and Electronic Communications Regulations (PECR).
While the impact of the Bill may be limited due to the growing need to align with EU data protection standards. Nevertheless, companies operating in Europe and across multiple territories may prefer to maintain a single GDPR standard.
Following this post here’s a link to the bill. Data Protection and Digital Information (No. 2) Bill
Furthermore, assess your readiness for the changes to the bill by contacting our team