Data Protection Developments
The passage of the UK Government’s proposed Data Protection and Digital Information Bill was paused in late summer 2022 to allow for changes to government. The bill is expected to reenter the parliamentary process this year, potentially ushering in modifications to the current data use regime in 2023.
The new regime is designed to simplify the General Data Protection Regulation – and the UK equivalent, the UK GDPR – as well as combine data protection issues and elements of the current Privacy and Electronic Communications Regulations under a single law.
The fanfare is that the bill will scrap some of the red-tape and burden introduced by the GDPR in May 2018, but a close reading of the current version suggests that for some businesses, it might add new requirements rather than simplify the framework.
The current format of the bill would introduce a number of changes that the Government say are aimed at reducing the administrative and financial burden on many firms.
Data Protection Officers are currently required where the firm undertakes large scale, regular, and systematic monitoring of individuals. Under the bill, only those firms undertaking ‘high risk processing’ would be required to nominate a suitable senior responsible individual (SRI) who would be responsible for data protection risks in the firm.
The bill would also re-define data protection impact assessments as ‘assessments of high-risk processing.’ In theory this should represent a reduction in obligations, given that the information required for an assessment is more limited than under current DPIA requirements. The definition of ‘high-risk processing’ is, however, not clear at present.
The changes around legitimate interests could mean that the current balancing exercise required is no longer needed; the bill gives a set of interests that are ‘recognised legitimate interests’ and introduces a new legal basis. The suggested set of legitimate interests are, however, limited to national security, public security and defence, emergencies, crime, safeguarding vulnerable individuals and democratic engagement which is likely to have limited use for financial services firms.
Also mooted is a change in the threshold for refusing or charging for a subject access request. Under the UK GDPR, the request must be “manifestly unfounded or excessive,” the proposed changes would water this down to “vexatious or excessive.”
The current wording of the bill has come in for criticism from data protection experts and financial services firms. In particular, firms that operate both within the UK and in Europe would face complications, having to use two separate frameworks. The bill would only apply to data processing activities connected to the personal data of UK residents, and personal data of customers resident in other countries would need to be processed in line with relevant laws.
It has also been pointed out that – from an implementation perspective - some of the changes amount to name or title changes. In some cases, the remit of the DPO will not change at all, but the new acronym – SRI – will need to be updated throughout firm paperwork. The Government say this is an important change, emphasising that data protection risk should be overseen at a board/director level.
The updates are important for individuals in the SRI position, however, with the implication that those holding the SRI position could be personally liable, on a par with Chief Financial Officers. The SRI would be responsible for monitoring compliance with legislation, dealing with data breaches and training staff; all in line with current requirements under the UK GDPR. Interestingly, however, the bill also states that the SRI should be able to develop and implement the firm’s suite of data protection measures, and therefore be accountable for any failure to do so, reflecting the ability to trace the actions of decision-makers under the SMCR.
Under the current proposals, the SRI’s contact details would be listed in a publicly accessible database overseen by the ICO and similar to the FCA Register.
So, what does this mean for financial services firms? The bill has yet to clear parliament, so UK GDPR remains very much in force. Any changes post-ratification are likely to be fairly minor – despite the change in leadership – aimed at adding clarity to some terms. Whatever happens, the principles of data protection and individual rights remain broadly the same; there are no significant changes to the processing of special category data, for example. Firms should continue with the current standard of data protection activities, and this will prepare your firm for any incoming changes.
Our UK GDPR Compliance Resources provide everything that firms need to meet the legislative requirements. We also offer Understanding The Data Protection Regulation online training that interprets the requirements that all staff need to abide by in an easy to understand, relatable way. Priced at £20, the course is accessible at the user’s convenience and provides a certificate upon successful completion.