Did you spend a lot of time, money and effort into ensuring that your business was compliant with GDPR back in 2018?
Were you aware that earlier this month, a revised version of the Data Protection and Digital Information Bill was introduced to Parliament?
The UK government claim the updated Bill will:
Reduce the amount of paperwork organisations need to complete to demonstrate compliance.
If the Bill is passed, only organisations whose processing activities are likely to pose high risks to individuals’ rights and freedoms will need to keep processing records (e.g., health organisations).
Introduce a simple, clear and business-friendly framework that will not be difficult or costly to implement.
Increase public and organisations’ confidence in AI technologies by focusing on increased safeguards that apply to automated decision-making.
The Bill ensures organisations can use automated decision-making with more confidence, and that the right safeguards are in place for people about whom those decisions are taken. For instance, if profiling takes place or if an automated decision is taken without meaningful human involvement, an individual will be able to challenge that decision and request another person review the outcome instead.
Provide organisations with greater confidence about when they can process personal data without consent.
The new rules will give organisations more clarity about when they can process personal data without needing consent and it provides for further specific activities or interests which may be regarded as in a controller’s legitimate interest to process data.
As well as the above, the Bill amends a controller’s ability to refuse to comply with a data subject request in circumstances where it is ‘vexatious or excessive’, replacing the existing threshold of ‘manifestly unfounded’ or ‘excessive’.
It also changes the definition of personal data to information relating to an identifiable individual (i) where the individual is identifiable by the controller or processor by reasonable means at the time of processing; or (ii) where the controller or processor knows, or ought reasonably to know, that another person will, or is likely to, obtain the information as a result of the processing and the individual will be, or is likely to be, identifiable by that person by reasonable means at the time of processing.
The UK government claims that the Bill will achieve the above objectives whilst still maintaining data adequacy status with the EU and without losing international confidence in its historically high standards.
It will be interesting to see if this new framework will be as easy and cost-effective to implement as the UK government claim.
Many organisations will still need to comply with EU data protection law too, for example if they handle personal data of EU residents. Whilst the first iteration of the Bill mentioned data subject requests and cookie consent (two subjects which businesses are keen to reform and make easier), the updated Bill doesn’t expand on this so we’ll have to wait and see how these two are handled and reformed, if at all.
There’s no denying that significant reforms to the UK data protection regime will be closely monitored by the European Commission to see if the UK is still meeting the EU’s high standards of data protection for the purposes of maintaining the adequacy decision. Only time will tell if the new rules are able to ensure data adequacy, whilst freeing British businesses from a one-size-fits-all approach to personal data.
If you have any queries or concerns about how your business handles personal data, we’re here to help.
We advise a wide range of businesses on data protection and compliance, giving you the reassurance that you are avoiding any possible risks. Call the team on 0300 124 0406 or email SophieBrazier@schofieldsweeney.co.uk.