Can you interpret the government’s latest Data Protection and Digital Information Bill?
Few business managers will forget the furore, fanfare and preparations that preceded the introduction of the EU GDPR in May 2018. There were some immediate and notable changes in the landscape.
2018 gave rise to the company Data Protection Officer, who companies had to nominate – or employ – and train. Also, in general, email marketing and spamming slowed to near-zero. Our mailboxes went quiet overnight.
Businesses gradually learned and implemented necessary compliance practices to manage the way in which data (documents, databases, images and video) is captured, stored, shared and managed. In the UK, the ICO was relatively tolerant in the early days of GDPR, published a lot of practical information, and promoted its willingness to be on-hand to deal with queries.
Over the past five years, the general public has also become knowledgeable about its data privacy rights and there has been a growing number of data subject access requests each year.
Why is the government seeking to introduce new data legislation?
The latest version of the Government’s Data Protection and Digital Information bill appeared in March 2023, and contained amendments to the first version of the Bill that was submitted in July 2022.
The Bill is a post-Brexit initiative. The government’s press release makes clear its objectives for the Bill and uses some now-familiar terms and references.
Science, Innovation and Technology Secretary Michelle Donelan said: “This new Bill ensures that a vitally important data protection regime is tailored to the UK’s own needs and our customs. Our system will be easier to understand, easier to comply with.” She characterised EU GDPR as “barrier-based” and said the new Bill would “create jobs and boost our economy.”
The Government’s press release claims planned changes will result in £4.7 billion in savings for the UK economy.
Are there any radical changes in the new UK Data Bill?
As yet nothing has been finalised in the Bill. In parliament, some MPs have suggested the Bill could compromise the UK’s data adequacy status. Yet most commentators suggest that the Bill does not propose anything game-changing.
The consultancy group Data Protection Network (DPN) concludes: “For many large organisations which operate in the UK, across the EU and further afield, it could be mostly business as usual, with EU GDPR remaining the benchmark. For small businesses which fall under the threshold for key existing requirements, the changes are unlikely to have a huge impact. For others depending on their size, nature of their business and operational structure, it may necessitate changes and potential efficiencies.”
At first sight, most proposed data privacy changes appear nuanced
As yet, none of the proposed data privacy changes have been stress-tested. However, as DPN suggests, none of the proposed changes appear “hugely radical.”
The Bill includes an attempt to modify the definition of personal data to a concept of an ‘identifiable living individual’. The Bill introduces the idea of ‘appropriate records’ to replace the requirement for a Record of Processing Activities. Impact assessments may in future only be necessary for ‘high risk’ data processing. Data Protection Officers could be replaced by Senior Responsible Individuals.
If you would like a concise review of the 212-page Bill, you will find a useful ‘Top 10 takeaways’ summary of the new Bill on the IAPP website.
What does low and high-risk data processing mean in reality?
At Facit we are interested to learn more about the categorisation of data into low and high risk, as debates in parliament and among consultants continue.
Data that most people would categorise as high risk would include medical and financial data. In a recent blog, we wrote about the calamitous results of data breaches in the NHS. However, it is unlikely that there would be universal agreement about what constitutes low risk data.
In our experience, data is rarely held in such a way that it does not present risks, insofar that is rarely unconnected from extended information. The possibility for an unauthorised party to see, use or share an individual’s personal data is, and is likely to remain, a potentially serious risk.
Facit helps you to stay compliant in every territory, regardless of regulation changes
At Facit, we are looking forward to questions being answered and seeing what material changes unfold. If an organisation has invested in robust data security measures that underpins its reputation and the well-being of its customers, are they likely to change what is evidently best practice? Based on their direction and pronouncements, there may well be different feelings and requirements about data privacy changes in UK countries. Northern Ireland could be a special case once again, while some parties in Scotland have a competing agenda.
More readings of the Data Protection and Digital Information Bill have been scheduled. If, as has been suggested, the aim is to pass the Bill by October this year, there will be a lot of mechanisms to digest and, potentially, to change. Certainly, there will a lot less time to adapt than in the lead-up to the introduction of EU GDPR.
At Facit, we help organisations in countries around the world to maintain data privacy in accordance with the laws and regulations that prevail in their territories. If you have concerns about how changes in legislation might affect you, we would be pleased to talk to you about our proven solutions and how they adapt to meet data privacy regulations across all continents.
