Reform of Data Protection Law
The Data Protection and Digital Information Bill was first introduced last summer and ministers have since been engaging in a co-design process with business leaders and data experts, leading to the publication of the second iteration of the Bill in March 2023. The first will proceed no further.
The Bill is designed to move on the Government’s stated aim to capitalise on Brexit benefits, seeking to move away from the ‘one-size-fits-all’ approach of EU GDPR to allow more flexibility in areas the Government identifies will assist with economic growth. This article summarises some of the key points in the Bill.
The first change to be aware of is a change in the definition of personal data. The new Bill maintains the change to the definition of personal data introduced in the original iteration which specified that information would only be deemed to relate to an identifiable individual (i) where the individual is identifiable by the controller or processor by reasonable means at the time of processing; or (ii) where the controller or processor knows, or ought reasonably to know, that another person will, or is likely to, obtain the information as a result of the processing and the individual will be, or is likely to be, identifiable by that person by reasonable means at the time of processing. The new definition therefore disregards third parties who might have the means to identify the data subject but are unlikely ever to access the data. This interpretation could mean that data relating to living individuals which are separated from relevant identifiers fall outside the scope of UK data protection laws in a wider range of circumstances than is currently the case – perhaps including where the same organisation holds the relevant identifiers in a separate repository with no intention of applying these in order to identify individuals.
The second important change is to provide organisations with greater confidence about when they can process personal data without consent, a real driver for growth where this concerns data used for direct marketing. It does this through providing for further specific activities or interests which may be regarded as in a controller’s legitimate interest to process data. In addition to those set out in the original iteration, the new Bill includes direct marketing, intra-group transmission of personal data for internal administrative purposes and ensuring the security of network and information systems. These examples are highlighted as non-exhaustive, and that other legitimate activities may exist, providing the legitimate interests assessment is carried out.
The rules also allow such processing where there is a public interest in sharing personal data to prevent crime, safeguard national security or protect vulnerable individuals. The vulnerable individual condition is met where the processing is necessary for the purposes of safeguarding a vulnerable individual. In paragraph 6 of the relevant section “safeguarding”, in relation to a vulnerable individual, means:
(a) protecting a vulnerable individual from neglect or physical, mental or emotional harm, or
(b) protecting the physical, mental or emotional well-being of a vulnerable individual;
A “vulnerable individual” is classified as an individual aged under 18, or aged 18 or over, and at risk. At risk means the controller has reasonable cause to suspect that the individual— (i) has needs for care and support, (ii) is experiencing, or at risk of, neglect or physical, mental or emotional harm, and (iii) as a result of those needs is unable to protect themselves against the neglect, harm or risk.
It is important to explore what the Bill means by the ‘protection of an individual, or of the well-being of an individual’, it includes both protection relating to a particular individual and protection relating to a type of individual from neglect, harm or risk. This is therefore quite a broad definition which could be applied to financial services.
There are other less impactful changes. Cookies requirements would be re-designed to reduce the amount of pop-ups required and record keeping rules changes would see only organisations whose processing activities are likely to pose high risks to individuals’ rights and freedoms needing to keep processing records. This could include, for example, where organisations are processing large volumes of sensitive data about health.
Finally the Bill maintains amendments to a controller’s ability to refuse to comply with data subject requests (or charge a fee for handling such requests) in circumstances where it is ‘vexatious or excessive’, replacing the existing threshold of ‘manifestly unfounded’ or ‘excessive’ requests. Requests can be considered ‘vexatious or excessive’ where they are intended to cause distress, abuses of process or those made in bad faith.
For now, the UK GDPR remains very much in force. Firms should continue with the current standard of data protection activities. Our UK GDPR compliance resources provide everything that firms need to meet the legislative requirements. We also offer Understanding The Data Protection Regulation online training that interprets the requirements that all staff need to abide by in an easy to understand, relatable way. Priced at £20, the course is accessible at the user’s convenience and provides a certificate upon successful completion.