top of page
Search

QED NEWS BULLETIN - Autumn 2022

In all our training courses to date on the General Data Protection Regulation (GDPR) and the Privacy & Electronic Privacy Communications Regulations (PECR) we have highlighted the news that post Brexit, change is on the way with both!  The Government as we reported in our Summer  2022 newsletter intend to pilot over 28 new pieces of legislation through the current Parliament until 2024. And the Data Protection Reform Bill is one of these.

 

In a nutshell the government say this means: -

 

  • Taking advantage of the benefits of Brexit to create a world class data rights regime that will allow us to create a new pro-growth and trusted UK data protection framework that reduces burdens on businesses, boosts the economy, helps scientists to innovate and improves the lives of people in the UK.

 

  • Modernising the Information Commissioner’s Office (ICO), making sure it has the capabilities and powers to take stronger action against organisations who breach data rules while requiring it to be more accountable to Parliament and the public.

 

  • Increasing industry participation in Smart Data Schemes, which will give citizens and small businesses more control of their data.

 

  • Helping those who need health care treatments, by helping improve appropriate access to data in health and social care contexts.

 

  • The reforms will create over £1 billion in business savings over ten years by reducing burdens on businesses of all sizes.

 

  • A 2018 economic analysis by the Department for Digital, Culture, Media and Sport and Ctrl-Shift estimates that the productivity and competition benefits enabled by safe and efficient data flows would create a £27.8 billion uplift in the UK

 

 

Key changes to GDPR and PECR

GDPR

Accountability:

 

  • The Government plans to proceed with the requirement for organisations to implement Privacy Management Programmes (PMPs) in all networks and offices.

  • Organisations will have to implement a PMP based on the ‘level’ of processing they’re engaged in & the volume and sensitivity of personal data they handle.

  • These requirements will be subject to the same sanctions as under current laws.

 

Data Protection Officers:

 

  • The requirement to designate a Data Protection Officer (DPO) will be repealed when these reforms are implemented.

  • There will be a new requirement to appoint a senior individual responsible for data protection. Most of the tasks of a DPO will become ‘the ultimate responsibility of a designated senior individual to oversee as part of the privacy management programme.’

 

Data Protection Impact Assessments: (DIPAs)

 

  • Under the new PMP requirement, organisations will be required to identify and manage risks, but ‘they will be granted greater flexibility as to how to meet these requirements.

  • There will no longer be requirements to undertake DPIAs as prescribed by the UK’s GDPR.  However, organisations will be required to make sure they have ‘risk assessment tools in place for the identification, assessment and mitigation of data protection risks across the organisation.’

  • Organisations will be able to continue using their DPIAs (if required) but can tailor them based on the nature of their processing activities.

  • Existing DPIAs will remain a valid way of achieving the new requirements.

 

Record of Processing Activities:

 

  • Personal data inventories will be needed as part of organisation’s PMP, covering what and where personal data is held, why it has been collected and how sensitive it is.

  • Organisations will not have to stick to the prescribed requirements set out under Article 30, UK GDPR.

 

Reporting of Data Breaches:

 

  • No changes will be introduced to alter the threshold for reporting a data breach.

  • The Government will work with the Information Commissioner (ICO) to explore the feasibility of clearer guidance for organisations.

 

Subject Access Requests:

 

  • The Government plans to proceed with changing the current threshold for refusing or charging a fee for Subject Access Requests from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’. It is said this will bring it in line with the Freedom of Information regime.

  • No re-introduction of a nominal fee for processing access requests.

 

PECR Cookies:

  • In the immediate term, the Government intends to permit cookies (and similar technologies) to be placed on a user’s device without explicit consent, ‘for a small number of other non-intrusive purposes. It’s anticipated this will include analytics cookies which allow organisations to measure traffic to webpages and improve offerings to users.

  • It’s intended these changes will apply to connected technology, including apps on smartphones, tablets, smart TVs, or other connected devices, as well as websites.

  • In the future, the Government intends to move to an ‘opt-out model of consent for cookies placed by websites. The Government says its ambition is to improve the user experience and remove the need for ‘unnecessary’ cookie consent banners. It stresses an opt-out model would not apply to websites likely to be accessed by children (we’re assuming this means consent would be required) and its ambitions will be subject to an assessment that effective solutions are widely available for use.

 

Use of ‘soft opt-in’ extended:

 

  • The ‘soft opt-in’ exemption to consent (for email and SMS marketing) is set to be extended to charities and not-for-profits.

PECR fines to be increased:

 

  • The Government plans to proceed with proposals to increase fines under PECR. This will allow the ICO to levy fines of up to £17.5m or 4% of a business’s global turnover.  This would bring fines in line with current fines under the existing regime.  Currently the maximum fine under PECR is capped at £500,000.

 

Political campaigning:

 

  • The Government plans to consider whether the political communications should remain within the scope of PECR’s direct marketing rules (or be excluded).

 

  • It also intends to extend the soft opt-in so that ‘political parties and elected representatives can contact individuals who have previously shown an interest in the activities of the party (for example, by attending a conference or donating) without their explicit consent, provided they have been given an opportunity to refuse such communications at the point of providing their details’.

 

Human oversight of automated decision-making and profiling:

 

  • The Government notes that during the consultation on the reforms, a vast majority of the respondents opposed the proposal to remove Article 22.  The right to human review of automated decisions is considered a fundamental safeguard. It was also confirmed that this proposal will not be pursued.

 

  • The Government says it will be considering how to amend Article 22 to clarify the circumstances in which, this must apply. It says it wants to align proposals in this area ‘with the broader approach to governing AI-powered automated decision-making’.  This will form part of an upcoming white paper on AI governance.

 

Legitimate Interests:

 

  • The Government intends to create a limited list of defined processing activities where there would not be a requirement to conduct a balancing test for legitimate interests. This list will initially be limited to ‘carefully defined processing activities.

  • This is likely to include processing activities to prevent crime, reporting safeguarding concerns or those which are necessary for important public interests’ reasons.

  • The Government proposes a new power to be able to update this list subject

 

Adequacy:

 

A key concern is whether the Government’s changes to data protection legislation will risk the EU’s adequacy decision for the UK. This allows for the free flow of data from the EU to the UK without the need for additional safeguards.   Adequacy is not referenced in the Government response to the consultation.

 

Response from the ICO:

 

UK Commissioner, John Edwards stated that ‘he will support and share his ambitions for implementation of these reforms” In particular he says, “I am pleased to see the government has taken our concerns about independence on board”.  You can read the ICO’s statement here.   The independence of the ICO was cited by Mr Edwards as an area which could jeopardise adequacy (in recent evidence he gave to the House of Commons Science and Technology Committee).

 

What next?

 

We now have to await the detail of the Data Reform Bill, which will be subject to parliamentary scrutiny.  So still a long way to go before the intended changes come into play. Our training courses profiled below will continue to capture the latest breaking news and clarification of the growing amount of jargon that builds around both GDPR and PECR! A 12-month update service is also triggered after every course.

Training offered by us- Current one day courses include: -

 

  1. The General Data Protection Regulations (GDPR)

  2. Privacy Impact Assessments

  3. Privacy and Electronic Communications Regulations (PECR)

  4. Information Governance

  5. Cyber Security

  6. Online Safety Bill

 

They are normally delivered in a training room but can be broken down into three-hour modules for online training.  Full details on request -qedworks@hotmail.co.uk

 
 
 

Comments

bottom of page