Data protection reform: five things you need to know

On 17 April, the Data Protection and Digital Information (No. 2) Bill had its second reading in the House of Commons. This was a significant milestone towards the much heralded, and much delayed, post-Brexit reform of the UK’s data protection laws.

The Bill has already had a difficult start. It was first introduced to Parliament in July 2022, following the UK government’s earlier consultation on proposals for reform of the UK’s data protection laws. The government pitched these reforms as a ‘Brexit dividend’ that could save UK businesses £1 billion and remove pointless ‘box-ticking’ exercises.

But the downfall of Boris Johnson, followed by the brief premiership of Liz Truss, delayed progress on the Bill. At the Conservative party conference in October, a ‘pause’ to the Bill was announced, to allow the new government to reflect on the proposals. That pause lasted until March this year, when the proposals re-emerged as a brand new bill (hence the ‘No. 2’ in the title).

There hasn’t been universal backing for the Bill. Although the complexities of data protection law are well known and there is cross-party consensus about some areas of reform, privacy campaigners such as the Open Rights Groups warned of plans to ‘gut’ the UK General Data Protection Regulation, leading to a ‘bonfire’ of rights for individuals.

These debates look set to continue as the Bill makes its way through Parliament, and there may yet be further changes. But the shape of the proposals are now well established, so here are five things you need to know about the Bill:

  1. Don’t panic! It’s really not that radical

The government wants to highlight how the Bill will make compliance significantly easier, while its critics emphasise the threat to individual rights. Both have a point, but don’t be fooled into thinking that this is a radical bill. It’s not.

The Bill will not replace either the UK GDPR or the Data Protection Act 2018, but instead will amend both pieces of legislation. This is very much evolution of existing laws, rather than a complete overhaul. For reputable organisations that already work hard to meet all of the requirements of existing data protection laws, there is little to be concerned about in the proposals. That work certainly won’t be wasted.

Having said that, the Bill contains a series of relatively small changes that, taken together, will move the UK’s data protection regime in a more pro-business direction (or lower the protections for individuals, depending on your viewpoint). That’s plenty to generate heated debate, but not enough to cause organisations to panic about their compliance.

  1. Adequacy is not under threat (at least not yet)

A lot of commentary on the Bill has focussed on the concept of ‘adequacy’. In June 2021, the European Commission issued a so-called adequacy decision in respect of the UK, allowing the free flow of personal data from the EU to the UK to continue without restriction. A reciprocal decision from the UK government allows unrestricted data flows from the UK to the EU.

The EU’s decision reflects the fact that UK data protection law is currently very similar to EU law. Any changes to UK laws, particularly if they are seen to weaken the protection of personal data, could undermine that decision and put the free flow of data at risk.

So the EU will be looking very carefully at the changes proposed in the Bill. However, there is nothing in the Bill that changes the fundamental data protection framework, and so adequacy is unlikely to be threatened in the short term.

  1. Accountability is here to stay, but not (quite) as we know it

Some of the most eye-catching changes proposed are around accountability. Under the current regime, there are various mandatory requirements for organisations to demonstrate their accountability. If the Bill passes in its present form, many of these requirements will be removed. Controllers and processors will be given much greater flexibility as to how they choose to demonstrate their compliance.

For instance, the Bill will remove the existing requirement for controllers and processors to maintain detailed records of their processing activities. In its place, the Bill will require controllers and processors to maintain ‘appropriate’ records of their processing of personal data. The new requirement is much less prescriptive and, beyond containing certain core information, controllers and processors can decide for themselves what records are appropriate. This flexibility will no doubt be welcomed, but organisations that have put significant resources into data mapping to really understand their processing activities are unlikely to want to throw away all of that work.

In a similar vein, the Bill proposes removing the provisions around undertaking data protection impact assessments. These are to be replaced with more light-touch ‘assessments of high risk processing’. Again, organisations that take data protection seriously are likely to continue to use their familiar DPIA processes, whereas others may take shortcuts.

  1. DPO RIP?

The Bill proposes scrapping the mandatory requirement for some organisations to appoint a Data Protection Officer. Instead, organisations will need to designate a ‘senior responsible individual’ for data protection. Whilst this sounds like a simple change of name, in fact this subtle distinction hides a potentially important change.

Currently, a DPO should be appointed for their expertise in data protection, should report in to the highest level of management and should be able to give advice without any conflicts of interest. A quasi-independent expert whose opinion carries real weight. By contrast, the ‘senior responsible individual’ role looks more like a requirement to give an existing member of the senior management team a new hat to wear. There is no requirement for the individual to have particular expertise and they are entitled to delegate the role, although that should only be to someone suitably skilled.

For reputable organisations with established DPOs, this change may involve a simple re-designation, but there is a risk that some organisations may use it to downgrade data protection compliance. Data protection could lose its senior status, with the senior responsible individual delegating what were DPO tasks to a much more junior level.

On the other hand, another round of changes to data protection law is unlikely to dampen the already sky high demand for data protection experts. The exact role may change, but don’t expect to see too many unemployed DPOs just yet.

  1. Changes to individual rights – from AI to vexatiousness

The Bill contains some changes to individual rights. This includes replacing Article 22 of the UK GDPR, which provides individuals with rights in relation to automated decision-making. This is an area of huge media interest at the moment, as the publicity around the use and abuse of AI technologies such as ChatGPT continues to grow. To the disappointment of some, the Bill does not contain any new rights or protections for individuals. Don’t be surprised if this part of the Bill is substantially amended during its passage through Parliament.

One proposal that may be welcomed by controllers is to change the threshold for either charging a fee or refusing a request, from “manifestly unfounded or excessive” to “vexatious or excessive”. The current language has proved difficult to interpret and controllers have been understandably reluctant to apply it. The amended wording is clearer and should give controllers confidence to refuse requests that are intended to cause distress, not made in good faith or are an abuse of process.

To conclude, the Bill is still at the early stages of its Parliamentary journey and won’t become law for some time. There will be changes ahead, but this isn’t a major overhaul and so there’s no need to panic. The best way to future-proof your compliance is to continue complying with the existing law.