UK’s Data Protection and Digital Information Bill

In September 2021, the UK Government launched its public consultation exercise, “Data: A new direction”, to help inform its intended development and proposals of how it wished to reform the UK’s data protection laws. Part of the Government’s 10 Tech Priorities, the consultation included some revolutionary ideas with the intention being to help secure a pro-growth and trusted data regime as part of the UK’s National Data Strategy.

On 18th July 2022, the UK Government set out its detailed proposals for its data protection reform, by way of the Data Protection and Digital Information Bill.  The Bill seems to step back a little from the previously seen radical ideas, but seeks not only to reform data protection, but also the Information Commissioner’s Office and the Information Commissioner role. At some 180 pages in length, with a further 130 pages of explanatory notes, it is now at its 2nd reading in the House of Commons.

Given the current state of the UK Government’s administration, the final version of the Bill depends on the new administrative office and its views in relation to data protection reform. However, the legislation is not expected to be passed, in whatever new form this may be, before spring 2023 at the earliest.

Some of the key proposed changes in the Bill are:

No More Data Protection Officer

Instead, a Senior Responsible Individual (SRI). Where an existing requirement for a Data Protection Officer (DPO) is required, the Bill proposes that those organisations with a DPO will instead need to identify a SRI, who will oversee data protection compliance. Whilst the SRI will have the ability to delegate this responsibility, possibly to someone carrying the title of DPO, how this will work in practical terms will remain to be seen.

It is yet to be seen if this is a move to align the data protection world with the financial services world and the FCA’s Senior Management Regime – finally placing someone with high level authority and responsibility firmly in the sights of the regulators when things go wrong with data protection, instead of the Subject Matter Expert (SME) (or DPO as they are otherwise known).

This move could further enable the outsourcing of the SME/DPO role, with an SRI within the firm remaining in overall charge of data protection compliance.

Assessment of High-Risk Processing not DPIA

The Bill proposed to narrow the scope of the DPIA, so that only Data Controllers undertaking “high risk” processing. The assessment will have certain required elements such as:

  • the purposes of the processing,
  • an assessment of whether the processing is necessary,
  • the risks the processing poses to individuals/data subjects,
  • details of how the Data Controller intends to mitigate any identified risks.

The existing mandatory requirement to consult the ICO prior to conducting high risk processing where the identified risk cannot be reduced has been made optional in the Bill. This will place an even greater responsibility on the SRI to ensure that the processing and risk mitigation controls are documented and implemented, especially if such a risk were to materialise and result in damage to a data subject.

Records of processing activity (ROPAs)

ROPAs will be less detailed for all and the exemption for companies with under 250 employees applies unless there is “high risk” processing under the Bill. There will still be a need to assess whether proposed processing is “high risk” as per the Assessment of High-Risk Processing, and where this exists, guidance from the ICO will be needed.

Manifestly unfounded or excessive Data Subject Access Request (DSAR)

Under existing legislation, a Data Controller can only refuse to respond to a DSAR or charge a fee for such a response, where they consider the request to manifestly unfounded or excessive. Under the Bill, the proposal is that a Data Controller will have the right to resist “vexatious or excessive” requests, for example, those which are intended to cause distress, are not made in good faith or that are an abuse of process.  Where a vexatious or excessive request is identified, the Data Controller will be able to refuse such a request or charge a fee for their response.

No more UK representatives

The requirement for overseas Data Controllers within scope of the UK GDPR to appoint a representative in the UK is removed.

Complaints processes

A formal complaints process for Data subjects is proposed, which would mean the Data Subject has a ‘right’ to complain to Data Controllers about any UK GDPR breach relating to their data.

The process would be in addition to the Data Subjects existing right of access and would see Data Controllers required to take steps to facilitate this complaints process, acknowledge receipt of the complaint within 30 days, and without undue delay to take appropriate steps to respond to the complaint in full.

Fines, Exemptions and Cookies

Under the Bill the maximum fines for breaches of the Privacy and Electronic Communications Regulations (PECR) are proposed to increase to meet the UK GDPR level, being £17.5 million or 4% of global annual turnover.

Some smaller changes such as the right for non-commercial entities (charities, political parties) to benefit from the ”soft opt-in” exemption for email marketing (removing the need for prior consent to email marketing if certain conditions are met) and also proposed.

There is also a relaxation in respect of some cookies in the Bill, in particular relating to consent, as prior consent will no longer be required for cookies solely for statistical analysis, or that are security update or functionality related.

However, it will still be necessary to provide notice of the cookie and the ability to refuse them, so cookie banners will not disappear from our screens entirely.

And finally, Telecom companies (public electronic telecommunication service and public communication network providers) will be placed under a new obligation if the Bill is passed “as is”, to report suspicious activity to the Commissioner within 28 days of any unlawful direct marketing. Firms failing to meet this obligation could be subject to a £1,000 fixed penalty fine.

These are just some of the changes that the Bill will bring about. Potentially not as earth shattering as once indicated, but as the Bill is only at its 2nd reading in the House of Commons, there is still plenty of time for everything to change.

A watching brief is definitely required, and advice for firms for now, is to think about how it is going to manage and implement the SRI.

Data Protection – How can Complyport Help?

Our experienced Cyber Security and Data Protection team led by Martin Schofield—one of the world’s leading specialists in the field—brings a wealth of experience to every project we are engaged in. Compylyport can not only provide advice, guidance and support on cybersecurity and data protection but we can also provide a Data Protection Officer Support as a Service.

DPO Support As a Service

Our Data Protection Officer/Support service team, provided by an experienced and multiskilled personnel including a Certified Data Protection Officer and Industry Practitioners, are at your disposal when you are looking to address data protection risks and enhance your privacy mechanisms and internal framework. Our service entails assisting you to understand and work within the legislative complexities, which govern the processing of personal data, and at the same time consider your business needs with respect to Information Systems, data security and organizational processes across the full scale of your operations.

Our multi-faceted Data Protection Services are provided through our multiskilled team of legal, security and operational experts when you are looking to:

  • Implement essential elements of UK Data Protection Act 2018 (DPA) and the General Data Protection Regulation of the European Union EU2016/679 (GDPR), such as the principles of data processing, data subjects’ rights, data protection by design and by default, records of processing activities, security of processing, and notification and communication of data breaches.
  • Foster a data protection culture within your organisation and with your external stakeholders
  • Carry out DPIAs where needed and suggest the appropriate technical and organisational measures) to mitigate the identified risks
  • Support the management of Data Breaches with respect to response, notifications, communications, and advice on corrective actions necessary to prevent losses, regulatory complications and reputation impact.
  • Where necessary, provide a contact point for the Information Commissioner’s Office (ICO)
  • Provide solutions/answers to those data protection questions that puzzle your staff and help with decision making when a data protection issue arise in the context of your daily business.

If this article has raised any questions, or you think your firm may require assistance, please contact either Martin Schofield via martin.schofield@complyport.co.uk or Jan Hagen via jan.hagen@complyport.co.uk to book in a free consultation.

About Complyport

Complyport is the City’s market leading consulting firm supporting the UK financial services industry for over 20 years. We specialise in providing Governance, Risk and Compliance services to support the regulated financial services industry to raise standards and thrive.

Complyport advises and assists firms to become authorised and to comply with the rules and requirements of regulators on an ongoing basis. Our vision is to be there for our clients every step of the way, helping them change, grow, and excel through expertise, insight, and innovation, and in so doing to become our clients’ most valued supplier and trusted advisor.

We have successfully assisted over 1000 firms to become authorised with the FCA and EU and are providing regulatory support to over 600 regulated firms on an ongoing basis globally. With presence in the UK and EU, as well as via our Associates Network, Complyport can assist firms across multiple jurisdictions.

Complyport’s multidisciplinary consultants possess deep expertise in their field, having acted in FCA skilled person reviews, as expert witnesses in legal cases and as expert investigators for firms or their legal advisers.

Day to day, we conduct audits and reviews of a firm’s products, processes, policies, and procedures to identify scope for business, to determine the impact of regulatory developments and to verify compliance with local regulations. Our clients tell us we live our values; we are driven, agile and collaborative.