The UK government has launched its long-awaited consultation on the future of the UK’s data protection framework. If the proposals are implemented, they will have a significant impact on how businesses may process personal data, including about their customers and employees.
Before Brexit, UK data protection law was largely driven by the EU framework – primarily the GDPR. Following the end of the Brexit transition period in January 2021, the EU GDPR was transposed into UK law as the 'UK GDPR'. This consultation outlines the government's first steps to reform the UK GDPR. It follows the government’s statements on the post-Brexit global data transfer regime and the UK’s National Data Strategy.
The government states that the aim of its proposed reforms is to create an ‘ambitious, pro-growth and innovation-friendly data protection regime that underpins the trustworthy use of data.’
We have summarised the key proposals below under three key themes: innovation; reducing the compliance burden; and cross-border transfers.
Using data for innovation
The consultation states that businesses unnecessarily rely on getting consent to process personal data, and this has led to ‘consent fatigue’ among data subjects. It therefore proposes to clarify the scope of the ‘legitimate interests’ ground for lawful processing and suggests an exhaustive list of pre-approved legitimate interests; anything on that list would not require the current ‘balancing test’, under which businesses must balance their interests against the rights of the data subject. The proposed legitimate interests would include:
- Monitoring, detecting or correcting bias in AI systems;
- Using personal data for internal research and development purposes, or business innovation purposes aimed at improving services for customers; and
- Managing or maintaining a database to ensure the records of individuals are accurate.
Reducing the compliance burden
The consultation states that the current accountability framework places unnecessary burdens on businesses, and proposes a shift towards a more flexible, risk-based framework. This would involve removing or reducing several compliance requirements, including:
- Removing the requirement to designate a data protection officer (although a suitable individual(s) would still be responsible for data protection compliance).
- Removing the requirement to undertake a Data Protection Impact Assessment: instead, businesses could adopt different approaches to identify and minimise data protection risks to reflect their specific circumstances.
- Removing the requirement for prior consultation with the Information Commissioner’s Office (ICO) about high-risk data processing. Instead, businesses could engage with the ICO as needed to discuss how to identify and mitigate risks.
- Removing the record-keeping requirements under Article 30, and granting more flexibility for record practices, according to the volume and sensitivity of personal data.
- Raising the threshold for reporting data breaches to the ICO to those breaches where the risk to individuals is ‘material’. The government plans to ask the ICO to produce guidance and examples of what is and what is not reportable.
The consultation also proposes introducing privacy management programmes (PMPs), which it states are part of the data protection regimes in Australia, Canada and Singapore. PMPs would introduce a more holistic approach to accountability by requiring businesses to set policies that are more relevant and proportionate to their activities. Businesses will be responsible for devising and implementing PMPs that reflect the nature of - and risks associated with - their business. The consultation notes that some organisations may need guidance to assist them and that, whilst the proposed legislation will not include detailed requirements for what a PMP should include, the ICO will produce guidance for organisations to support their introduction.
Cross-border data transfers
Post-Brexit, the UK can make its own decisions on the countries to which personal data may be exported. The government has said that it intends to take a more risk- and outcomes-based approach to these ‘adequacy’ decisions. It proposes to launch an ‘ambitious programme of adequacy assessments’, prioritising several countries, including the US, Australia, Republic of Korea, and Singapore. It will also consider making adequacy agreements for groups of countries, regions and multilateral frameworks.
The consultation also proposes:
- Relaxing the requirement to review adequacy requirements every four years and moving to a general monitoring approach of countries’ relevant laws.
- Letting businesses develop their own alternative transfer mechanisms, eg bespoke contracts that would not need ICO approval.
- Clarifying that the derogations for data exports - eg data subject consent - may be used on a repetitive basis (although not for exports based on legitimate interests).
- Exempting ‘reverse transfers’ from the scope of the regime (ie where where data originating from outside the UK is sent to the UK and then sent back to the originating jurisdiction.)
The consultation is open for feedback until 19 November 2021.
For more on Brexit and data protection, click here.