UK’s GDPR lite “replacement” kills off DPOs (in name)
UK plans to relax some protections under Europe’s General Data Protection Regulation (GDPR) in its revised Data Protection and Digital Information Bill, after a round of external consultations. The proposed changes reduce requirements around the processing of personal data where it is used for “legitimate interests”, aim to clarify the rules around the use of algorithm-powered decision making, and, critically, greenlight international data transfer mechanisms lawfully entered into before the new UK data protection bill landed.
The bill includes a list of “legitimate interest” activities for a data controller. They are illustrative and non-exhaustive, but include direct marketing, intra-organisational transmission of data and network and information systems security. Existing data protection exceptions which apply for scientific research have been further amended to clarify that they cover any research that can reasonably be described as scientific, whether publicly or privately funded, and whether carried out as a commercial or non-commercial activity.
Businesses will also no longer need to appoint a Data Protection Officer (DPO); instead, as Osborne Clarke emphasises, "if they carry out high risk processing (or are a public authority), they will be required to designate a "senior responsible individual" who will be accountable for data protection compliance. (A bit like a DPO...)
However, the individual must "now be part of the business's senior management, as opposed to the current position, where the DPO reports to senior management but has to be independent of it. "
The initial UK data protection bill was introduced in July 2022 by the Liz Truss government and has now been withdrawn. The government says the new bill, by cutting red tape, could save companies more than £4 billion over the next 10 years. A date for its second reading in the House of Commons has yet to be confirmed.
Julian David, TechUK CEO, was among those welcoming the bill. He said it “builds on ambitions to bring organisations clarity and flexibility when using personal data" and will "give companies greater legal confidence to conduct research, deliver basic business services and develop new technologies such as AI, while retaining levels of data protection in line with the highest global standards, including data adequacy with the EU.”
New UK data protection bill: No QR codes needed to read it...
The new UK data protection bill is the product not just of a new government, following Conservative Party turmoil last year, but follows departmental musical chairs that have seen responsibility for data protection policy shift from the Department for Digital, Culture, Media and Sport to a new Department for Science, Innovation and Technology (DSIT), led by Secretary of State Michelle Donalan MP That department this week also launched the government’s declared plan to “cement the UK’s place as a science and technology superpower by 2030”.
(Prime Minister Rishi Sunak celebrated this by tweeting a QR code that directed those willing to scan it to download Adobe software, which then allowed them to see some very rudimentary graphical exhortations to make the UK a science and technology superpower; a bemusing to some little vignette.)
Pinsent Masons Partner Kathryn Wynn said of the new GDPR-lite bill that “during party conference season in the autumn, it appeared that the government – then under the leadership of Liz Truss – was intent on changing the original Bill to much greater extent than it has done now under the leadership of Rishi Sunak. This perhaps reflects the reality that any changes made to the UK data protection framework need to be within the bounds of what the European Commission would endorse under an ‘adequacy’ agreement, given the costs to businesses in the UK if the UK regime were to fail the EU’s adequacy assessment,” she added in a blog published March 9.