Summary of DCMS Proposals
Broadly, this is all change for changes sake. The substance and complexity of data protection law remains untouched and based on the DCMS response, the proposals seem to have more to do with political gesturing (i.e., proving to the EU that we can exercise newly found Brexit freedoms) than radical change. From our perspective, the fact that data protection law remains largely untouched is a positive thing to be welcomed. The headline changes are below.
What is the current regime?
The current UK data protection regime consists of the UK GDPR, the Privacy and Electronic Communications Regulations and the Data Protection Act 2018.
The government’s response presents proposals that build on this current regime, focusing on1 :
reducing burdens on businesses and delivering better outcomes for people – aiming to provide a high standards flexible data protection regime that incentivises organisations to invest in data protection governance and skills;
reducing barriers to responsible innovation – clarifying provisions within legislation to help drive and deliver discovery and cutting edge tech;
boosting trade and reducing barriers to data flows - proposing to clarify how and when personal data can be transferred across borders;
delivering better public services – focusing on the importance of using personal data responsibly, building trust and transparency and collaborating between the public and private sectors; and
reforming the ICO – investing in the ICO’s critical regulator role to continue setting a world-leading reputation.
What are some of the big ticket proposed changes the government plans to proceed with?
Removing the requirement to appoint a Data Protection Officer (“DPO”)
It is proposed to remove the mandatory DPO, with a requirement to appoint a suitable ‘senior responsible individual’ instead. The senior responsible individual will oversee most of the tasks of a DPO and organisations may continue to appoint a DPO where they consider best. From our perspective, the removal of the DPO seems like an empty gesture. In reality, all businesses will still need to comply with the law and the DPO often enables this.
Removal of the requirement to complete data protection impact assessments
Organisations are still required to manage and identify risks when processing data, however they will have greater flexibility as to how to meet and identify such risks. As with the DPO requirement, this seems like an empty gesture. A business which fails to complete a data protection risk assessment is just as likely to be exposed to regulatory non-compliance.
Organisations able to refuse vexatious or excessive subject access requests (“SAR”)
The threshold for subject access request responses will be amended, entitling organisations to refuse a SAR where it is ‘vexatious or excessive’.
Move towards an opt-out cookie regime
The government intends to legislate to remove the need for websites to display cookie banners to UK residents. In the immediate term, cookies will be permitted without explicit consent for a small number of non-intrusive purposes. These changes will apply to websites and connected tech such as apps, tablets and smart TVs. Moving forward, the government seeks to move to an opt-out model of consent for cookies placed by websites.
Exemptions for the legitimate interests balancing test
Controllers are currently required to weigh up and document whether their interests in processing personal data outweigh the rights of data subjects (known as the “balancing test”). The consultation responses raised concerns about the time, effort and complications to complete this and so the government proposes to create a limited, exhaustive and carefully defined list of legitimate interests for organisation to use without the need to apply the balancing test (for example, crime prevention).
You can find the full response here.
Get in touch
This article was prepared by Hollie Tompkins.
If you would like to know more about this article or require any advice on issues you may be facing, please get in touch with Matthew Holman for any Data Protection queries.