Blog

UK Data Reform: Why my feelings are mixed

Written by Sara Newman | Jun 21, 2022 1:10:10 PM

The long-awaited results of the consultation about ‘Data: a new direction’ from the Department for Digital, Culture, Media and Sports (DCMS) was published on Friday, 17 June.  

Firstly, it is important to note that thirty civil society organisations have accused the DCMS of conducting a 'rigged' and potentially unlawful consultation process around its new Data Reforms Bill, the UK’s proposed replacement for GDPR. You can read all about their views here. This to me speaks volumes about the process, but the DCMS is denying the claims. 

But, we are where we are, and the first thing to note is what the DCMS is proposing is just that, a proposal. There has been no formal change to the UKDPA, so don’t panic Mr Mainwaring (yet).  

There are many elements of the UK DPA (and the GDPR) that can be improved or amended to be made more practical, such as Article 14 notifications or appropriate policy documents (as pointed out by a fellow privacy pro). In my opinion, the areas the DCMS is proposing to alter include some of the best bits of the existing legislation. Data Protection Officers, where required by the law (and where they are not), provide invaluable knowledge and independence to protect the rights of the individuals. It is a professional position that requires appropriate qualifications and experience. All good stuff, right? The DCMS is suggesting replacing this with having a senior individual responsible, but the role and requirements are not in the same league. Does this put our data at risk? In some situations, yes. And for those of us that live and breathe this know that the likely culprits will be the government, the police or the NHS carrying out these high risk and high-volume processes. Sigh.  

They are also proposing to get rid of the requirement to undertake Data Protection Impact Assessments, (DPIAs) as they can sometimes cross over with other risk assessments that an organisation undertakes. OK maybe, but a DPIA is an awfully specific assessment to ascertain if the rights and freedoms of an individual would be affected by a particular process. Keeping them separate means the focus remains on protecting individuals.  

The final proposed removal I will mention is the Record of Processing Activities. Currently mandatory for organisations with more than 250 staff, this is a central record of every process in an organisation. Are they cumbersome? Yes. I have completed and maintained enough to be confident in saying that, but that does not mean they are not hugely valuable. They support the accurate completion of privacy notices and being able to fulfil data subject right’s requests to name but two. 

Amongst the proposals, there are aspects to be welcomed such as privacy management programmes. The response states these ‘will allow organisations to integrate current accountability mechanisms as elements of a holistic approach to accountability.’ The accountability principle Article 5(2) states ‘The controller shall be responsible for and be able to demonstrate compliance’ {with the regulation} and anything that supports and strengthens that can only be a good thing. 

The proposed reforms to the Information Commissioner’s Office as written do not make it clear how they are going to benefit individuals. These feel like tweaks that may benefit government but it is not clear how changing the ICO’s name or defining overarching objectives are going to give them the gumption to actually take enforcement action where it is most needed. I fear this threatens the ICO’s independence. Please note that the Commissioner recently and very publicly told police and prosecutors to stop the mass collection of personal information from rape victims or face being fined. Face being fined, not being fined now. Why not? They have broken the law.  

Ultimately, I do fear the UK will lose adequacy with the EU and that, as I have said before, puts us on the backfoot with regards to privacy globally. 

If you do not do business outside of the UK, then these changes may seem like life is a little easier from a privacy compliance perspective. If you work in Europe, then remember folks, the GDPR still applies, DPOs, DPIAs, ROPAs and all!  

Privacy is a fundamental human right and laws like the UK Data Protection Act are in place to protect individuals. I am all in support of reviewing and changing where required as long as the original reason behind the legislation is not forgotten.