Here are some of the highlights of how UK businesses might benefit.
- Cookies: This is the change that has garnered the most headlines. The government intends to remove the need for websites to display cookie banners to UK residents. Instead, it will permit cookies to be placed on a user’s device without explicit consent for a small number of non-intrusive purposes. In time, it will move to an opt-out model of consent for cookies in conjunction with a browser-based solution. Given the international nature of websites and other technologies, it will be interesting to see if developers make this adjustment for the UK.
- Align PECR enforcement with UK GDPR. PECR deals with cookies, direct marketing and nuisance calls. The government intends to increase the ICO’s powers for dealing with nuisance calls and direct marketing in line with UK GDPR. This means broader enforcement powers and fines of up to 4% of global turnover. This is a popular change.
- Privacy management programmes. The government intends to introduce “privacy management programmes” while maintaining the same level of data protection. This will be the framework around which it will then remove a number of requirements:
- DPOs. It will replace data protection officers with a “designated senior individual” with responsibility for data processing. It will be interesting to see how this differs from what UK GDPR already allows.
- DPIAs. While most respondents agreed that data protection impact assessments are helpful, the government proposes to remove the need for them. Instead, businesses will use risk assessment tools under the privacy management programme.
- Removal of the record of processing activities. Despite the majority of respondents seemingly disagreeing, the government intends to remove this requirement. Instead, organisations will document the purposes of processing under their privacy management programme.
- Breach reporting requirements. After reviewing the responses, the government has decided not to alter the breach reporting requirements.
- Subject access requests. The government recognises the value of subject access requests. But it proposes to change the threshold for refusing to respond to or to charge a reasonable fee for a subject access request. This will switch from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’. This will bring it in line with the Freedom of Information regime but is a small change.
It has other proposals to “reduce barriers to responsible innovation“. Following the responses received it has diluted these too. So, more tinkering then.
- Legitimate interest. This was to be the big change. The government proposed a broad list of activities that will amount to a legitimate interest. Instead, after feedback, it will now add a limited number of activities. These will include to prevent crime, report safeguarding concerns or are necessary for other important reasons of public interest. It will add the power to update the list of activities but such updates will be subject to parliamentary scrutiny.
- Research. Respondents expressed concerns over the government’s proposed sweeping changes to processing personal data for research. Instead the government proposes to introduce greater clarity over what amounts to research.
- Further processing: the government will simplify the situations where data can be re-used.
- AI and machine learning. As technology progresses, processing by AI will increase. The government wants to ensure AI processing is done fairly.
- Data minimisation and anonymisation. The government proposes to clarify the test for “identifiability” of an individual. This will help determine whether the data has been truly anonymised. It also wants further improvements in privacy-enhancing technologies.
- Innovative data sharing solutions. The government wants to allow greater sharing of personal data to “help drive growth and boost innovation”. In particular, it wants to encourage the use of data intermediaries. This is a tricky balancing act to achieve and the government seems to have narrowed its focus to enabling “Smart Data” schemes.
The government’s intention is to “reduce the burdens on businesses” and “deliver concrete advantages for the UK while preserving data subjects’ rights”. But it is interesting to note that the government now intends to abandon some of its less popular proposals. In particular, it notes the importance of not losing the UK’s adequacy status which would make data transfers to and from the EEA harder.
In its desire to flex new freedoms after Brexit, the government appears to have produced more heat than light. We await the timing of these changes. The reforms it now proposes look like tinkering around the edges rather than producing a big reduction on the burdens businesses face. It is a shame it didn’t undertake this type of exercise while still a member state of the EU. This could have fed through to the original text of GDPR.
If you need advice, contact me firstname.lastname@example.org or +44 (0) 20 7611 2338.