The UK Parliament is currently reviewing a new Data Protection and Digital Information Bill with the aim of enabling organisations to innovate and grow whilst maintaining high standards of data protection rights and data adequacy in line with the EU. If approved, the Bill will introduce amendments to the UK GDPR and the Data Protection 2018 Act.
There are a number of changes that the Bill proposes, including a new Information Commission, changes to the transfer mechanisms, and uses of cookies to name a few. We have highlighted the most relevant ones in this article.
New Information Commission (ICO)
The current ICO will be replaced by the Information Commission as the new supervisory body. According to John Edwards, the UK’s Information Commissioner, improvements will come in the form of a new board structure and data experts giving the Commission an understanding of the challenges of the wider economy. Controversially, the Secretary of State will be able to change the priories of the Commission, although its is felt this will increase the accountability of the Commission, which some would argue has been lacking.
Legitimate interest
The Bill includes a non-exhaustive list of activities that could be considered a legitimate interest for a controller. Legitimate interest has been the cause of considerable corporate consternation and has driven firms to seek legal guidance. The ‘fuzziness’ of the law has also made it very difficult to enforce – in a nutshell, the law has been very inefficient. The Bill includes a non-exhaustive list of what would be considered as ‘legitimate interest’ This includes direct marketing, intra-group transmission of personal data, and ensuring the security of network and information systems. All claimed legitimate interests beyond those recognised will require a balancing test. The Commissioner has stated that all firms are ‘entitled to make that assessment [legitimate interest], but they need to justify and be accountable for it’. The message is clear – whatever legal basis firms believe they have, be prepared to be challenged!
Records of processing activity (ROPA)
With the new Bill, the requirement for record-keeping will be restricted to high-risk processing activities, determined by the nature, scope, context, and purpose of the processing. The Bill does not clarify what constitutes high-risk and it is for the Commission and organisations to conduct their own assessments. Arguably, this lack of clarity may result in the mislabelling of certain data which has a potential direct or indirect impact on data subjects. For example, data that tracks buying habits could be perceived as ‘low risk’, but equally could potentially encourage targeted fraud and scams.
Fines
The Bill will increase fines for nuisance calls and texts to up to 4% of global turnover or 17.5 million GBP, whichever is greater. This means organisations will need to be mindful of the possible sanctions when performing these direct marketing activities.
Data Protection Officer (DPO)
For organisations that monitor data on a large scale and for public bodies, there is a requirement to appoint a Data Protection Officer, and with it to conform to statutory responsibilities. Under the Bill, organisations will no longer need to appoint a DPO. These organisations and public authorities will need only to appoint a Senior Responsible Individual (SRI) that will be accountable for data protection compliance. The SRI should be a member of senior management.
Additionally, controllers and processors outside the UK are no longer required to appoint a UK-based DPO.
Transfer mechanisms
The Bill introduces a new test for new transfer arrangements. It is important to note that there will be no need to repaper old ones and that transfer mechanisms lawfully entered into before the Bill takes effect will continue to be valid under the new regime. Rather than seeking equivalence with the EU, the Bill gives the Commission greater scope to allow transfer in different jurisdictions and a more common-sense approach to the flow of data to facilitate economic growth.
Digital verification services
The Bill introduces a framework for the use of digital verification services.
Data Subject Access Requests (DSARs)
Firms can refuse to respond to Data Subject Access Requests or charge a fee if the request is deemed vexatious or is considered to have an alternative motive.
Use of cookies
The Bill will amend the Privacy and Electronic Communications Regulations (PECR) to reduce ‘consent fatigue’, allowing firms to use cookies without consent where they are necessary to enable the functionality of the website and are not for marketing purposes.
Artificial Intelligence (AI)
As we know, AI is set to revolutionise the way we operate in many ways. However, from a data protection perspective, it may also introduce certain risks and dangers. The new Bill is looking to apply responsibilities to them. If it passes, it will be the first comprehensive regulation for AI and could catch software not normally considered AI. Where a firm falls within the definition of AI, it will be categorised as a provider (developer) or a user (where services are procured from the provider). The bill takes a risk-based approach to AI where unacceptable risks are prohibited. The focus is on high-risk activities such as credit scoring, recruitment, or other employment decisions. Low-risk systems have minimal requirements, meaning only that individuals must be made aware that they are interacting with AI systems.
Auto decision making
The Bill provides a new definition of auto decision making that is, one that involves no meaningful human involvement, with new measures allowing users to contest and demand human interaction, for example,. if someone is refused a loan due to ADM then they should be able to contest and seek a review. If unwarranted, then the controller will need to re-evaluate and seek a new decision.
What do firms need to do?
Although the Bill is still progressing through Parliament and may be amended further, it is important for firms to start considering the impact the proposed changes might have on their Data Protection frameworks to ensure they are up to date and compliant with the new Bill.
Thistle Initiatives has supported firms for over 10 years as a trusted compliance and regulatory advisor in addition to assisting you as and when required, our team of specialists can provide ongoing guidance on how to meet the FCA’s rules. Our team will not only keep you up to date with new regulations on the horizon but ensure you are fully compliant today.
Are you looking for help with Data Protection or more general regulatory questions? Contact our specialist team now to schedule a free consultation. Get in touch with us by calling 0207 436 0630 or sending an email to info@thistleinitiatives.co.uk.