Government confirms details of UK data protection reform

What happened

• The Government has published the response to its consultation on the post-Brexit reform of data protection law.
• The upcoming Data Reform Bill, which will follow this consultation response, is set to replace some of the specific requirements of the current regime with a more flexible, risk-based approach that is centred around a ‘privacy management programme’.
• Privacy management programmes will be based on several elements at the core of accountability, such as: leadership and oversight, risk assessment, policies and processes, transparency, training and awareness of staff, and monitoring, evaluation and improvement.

• Whilst we await the Data Reform Bill, below is a summary of some of the key changes it will include:
  • In a bid to eliminate cookie banners, an opt-out model for the use of cookies will be implemented once effective preferences management technology is widely available. In the meantime, websites will be able to use a wider range of cookies without seeking users’ consent.
  • To align with GDPR levels, fines for non-compliance with PECR will be increased to a maximum of £17.5m or 4% of global annual turnover.
  • Non-commercial organisations such as charities will be able to rely on a “soft opt in” to send direct electronic marketing to existing customers without consent, in the same way that commercial organisations can now.
  • Obligation to designate a Data Protection Officer (DPO) will be replaced with a requirement to appoint a ‘designated senior individual’ to oversee the privacy management programme.
  • Requirement to carry out Data Protection Impact Assessments (DPIAs) will be removed, in favour of granting organisations greater flexibility as to how to identify and manage risks, using risk assessment tools.
  • Certain activities defined by the Government will be exempt from the third step of the Legitimate Interests Assessment (LIA), known as the ‘balancing test’. This is likely to include activities such as the prevention of crime, safeguarding purposes and other important reasons of public interest.
• The requirement to maintain specific information forming a Record of Processing Activities (ROPA) will be removed and replaced with a more flexible personal data inventory.

Why it matters

• It is important to note that the Government’s proposals are in no way final at this stage. Once published, the Bill must pass through the parliamentary process to become law, where it may be subject to amendments and challenges along the way.
• The changes have not diverged as far as originally proposed by the Government in their consultation on possible reforms to data protection law last year. In fact, it remains to be seen whether the changes are more style than substance e.g., ROPAs to be replaced with ‘personal data inventories’ and DPOs replaced with a ‘designated senior individual’ to oversee the privacy programme. The devil will of course be in the detail, and we will provide further commentary as the Bill makes its way through parliament and proposals develop.
• The Government’s consultation set out that Organisations will not be required to make substantial changes to comply with a new, UK-specific regime, as privacy management programmes will allow flexibility to find the most effective and proportionate means of meeting the outcomes. Existing DPIAs would remain valid as a way of achieving the new requirement, existing ROPAs will already go above and beyond the new requirement (with flexibility to tailor it further to meet an organisation’s needs) and organisations that previously used a data protection officer may continue to do so.
• Over 90% of the ICO’s enforcement actions over the last year related to PECR contraventions, which cover electronic communications such as electronic marketing and cookies. The proposed significant increases in fines for breaches of PECR are a strong reminder of the importance of having in place responsible marketing strategies, centred around transparency and gaining consumer trust. Organisations should consider conducting a marketing audit to assess their compliance position and identify areas requiring remedial action.
• UK based organisations that target products and services to EU citizens must still adhere to EU GDPR. Those organisations are unlikely to gain from the new regime’s increased flexibility, and the obligation to comply with two different regimes may complicate matters in some situations.
• Whilst the government claim that is “perfectly possible and reasonable” to expect the UK to maintain its adequacy status with the EU in the future regime, this remains to be seen. The final details will be closely scrutinised by the European Commission, after which time it will become clear whether the UK’s adequacy status for transfers of data between the UK and the EU is impacted.

What happened

• The UK Department of Health and Social Care in the United Kingdom has released a new data strategy named ‘Data saves lives: reshaping health and social care with data’. It was first released in draft form in 2021, and the final version was published this month.
• The strategy focuses on seven principles to drive transformation in health and care, aiming to create a “secure and privacy-preserving system that delivers for both patients and professionals”, according to the department.
• The data strategy contains commitments to give patients greater access to and control over their personal data, including by simplifying the opt-out processes for data sharing and improving access to GP records in the NHS App by giving patients access to their latest health information.
• Further improvements, in the form of enabling patients to request historic information including diagnosis, blood test results and immunisations more easily, is also planned. 
• Secure data environments will be made the default for NHS and adult social care organisations to provide access to de-identified data for research purposes.

Why it matters

• One of the main aims of GDPR is to protect the rights of individuals with regards to the use of their personal data, providing individuals with greater transparency and enhanced control over how their data is handled.
• Access to accurate, complete, and up to date patient data is integral to the delivery of effective healthcare. This strategy sets out a means to achieve this, through increased patient trust and confidence in the use and storage of their data.
• Ensuring data protection is embedded into an organisation’s processing activities and business practices, from the design stage right through the lifecycle, also known as ‘privacy by design’, is a legal requirement of UK GDPR.
• The strategy serves as a reminder to all organisations that data ethics and trust are critical. Strong privacy defaults, user-friendly options and controls, and enhanced access can all help to build trust.