Data protection and digital information bill

What are the key changes?

Re-defining personal data

The data protection and digital information bill (DPDI) will change the definition of personal data so that information will only be considered identifiable:

  • where the individual is identifiable by the controller or processor by reasonable means; or
  • where the controller or processor knows that another person will obtain the information as a result of the processing and information will enable identification by that third party by reasonable means.

This amendment limits identification to the controller, processor or any third party that is likely to receive the information, rather than the general public.

Additionally, identification need only be by reasonable means, which must take into account the time, effort and costs involved in identifying the individual by that means, and the technology and other resources available.

The current definition often leads organisations to be overly cautious in treating almost all data processed as identifiable. This change will create efficiencies for organisations that process data that are not possible to reidentify.

Removal of UK representative

Currently, controllers and processors not established in the UK must appoint a UK representative when selling goods and services or monitoring behaviour of people in the UK.

Under the bill, this requirement has been removed.

Transformed role for the data protection officer

The DPDI bill removes the requirement to designate a DPO, replacing this with a requirement to appoint a senior responsible individual (SRI) if they are a public body or carry out high-risk processing.

The SRI will retain many of the responsibilities of the DPO. However, the current drafting requires the SRI to be part of the organisation’s senior management team, which introduces challenges for current in-house DPOs who don’t hold a position on senior management.

The individual may delegate their tasks to another person in which case that individual should be appropriately resourced and cannot be dismissed or penalised for performing those tasks. This will enable the continuation of an outsourced model based on external DPO appointments

Replacement of the record of processing activities (RoPA)

The DPDI bill proposes to remove the requirement to have and maintain a record of processing activities (RoPA), and replace it with an ‘appropriate records of processing of personal data’.

The bill adds these records are only required where the personal data processing is likely to result in a high risk to the rights and freedoms of individuals.

Replacement of data protection impact assessment (DPIA)

The bill proposes to remove the requirement to carry out a DPIA. However, organisations will be required to carry out ‘An assessment of high-risk processing’ which contains a summary of purposes of processing, assessment of necessity and risks to individuals and how such risks will be mitigated.

The mandatory requirement for prior consultation has been removed and replaced with a voluntary consultation process (engagement in a voluntary consultation will be treated as a mitigating factor during any ICO investigation or enforcement action).

Nevertheless, organisations also have the option to continue using existing DPIA processes (and are likely to do so if there is already an established process and organisational buy-in).

New provisions to assist with identifying compatible processing

The concept of purpose limitation and incompatible purposes is maintained in the bill; however, specific provisions have been added to aid organisations in determining if a new activity is compatible.

What this means in practice is whether the second activity is similar enough to the original to the initial purpose for which the data were collected.

Defined legitimate interests

The bill provides an approved list of "recognised" legitimate interests (as a legal basis for processing) which include various public interest purposes for which no balancing test (ie the controller's legitimate interests versus the rights and interests of the data subject) would be required.

This list includes direct marketing, intra-group sharing of personal data for internal administrative purposes and ensuring the security of network and information systems.

These examples are highlighted as non-exhaustive and that other legitimate activities may exist, but your organisation would still be required to carry out a legitimate interests assessment for these additional activities.

Improved definitions for research purposes

Changes introduced within the bill add clarity to the definition of “scientific research purposes”, which include commercial or non-commercial activity, and a change to broaden the meaning of “scientific research”, to encompass processing activities which can “reasonably be described as” scientific in nature.

Broader consent for scientific research

When it comes to scientific research it is acknowledged that it is often not possible to fully identify purposes at the time of data collection.

The planned reforms allow for a broader consent mechanism to be used for scientific research purposes. This will reduce uncertainty and concerns around the use of consent while widening its usefulness as a lawful basis for this type of activity.

Data subject rights - right to be informed

A new exemption has been inserted which applies where the controller intends to further process personal data for the purposes of scientific or historical research, archiving in the public interest or statistical and providing the information would involve a disproportionate effort.

This change would therefore ensure that research is not restricted in situations where re-contacting data subjects does not present a proportionate balance between the effort involve for you to provide individuals with privacy information and the effect that your use of their personal data will have on them.

Refusing data subject rights

The current guidance will be amended to allow an organisation to refuse to comply with data subject requests, or charge a fee for handling such requests, in circumstances where it is ‘vexatious or excessive’.

This amendment will make it easier for organisations to refuse certain requests.

Rights in relation to automated decision-making

UK government stated it would rebrand the existing rights in relation to automated decision-making as a ‘right to specific safeguards, rather than a general prohibition on solely automated decision making”.

The intention is that these reforms will “enable the deployment of AI-powered automated decision making, providing scope for innovation with appropriate safeguards in place”.

The bill includes restrictions on significant decisions based entirely or partly on special categories of personal data using solely automated processing.

These include providing the data subject with information about the decision, enabling the data subject to make representations about the decision, enabling the data subject to obtain human intervention and contesting the decision.

New reporting duties

The bill introduces new obligations on providers of electronic communications networks.

Specifically, these providers would be required to notify the ICO of "any reasonable grounds" they have for suspecting that a person is contravening or has contravened the direct marketing rules.

Any failure to do so could result in penalties for non-compliance.

This ups the ante for organisations taking a risk-based approach when it comes to direct marketing activity. Whilst this provision itself will only apply to electronic communication service providers, it is likely to increase the ICO's awareness of non-compliant direct marketing communications, which in turn could result in more enforcement action being taken in relation to direct marketing breaches.

International Transfers

The government press release stated the improved bill will “support even more international trade without creating extra costs for businesses if they’re already compliant with current data regulation.”

Data protection tests for adequacy decisions

The bill will reform the existing approach for assessing adequacy of third countries and rebadge it as a “data protection test” which focuses on risk based decision-making and outcomes.

The test will be met if the standard of data protection is “not materially lower” than that provided under UK law.

Privacy and electronic communications regulations (PECR)

The bill will introduce the following changes to PECR.

Increase in fines

The DPDI will increase fines for nuisance calls and direct marketing from £500,000 to either up to 4% of an organisation’s global turnover or £17.5m, whichever is greater.

Changes to cookies

The bill proposes that consent would not be required for online trackers placed:

  • for the purposes of collecting statistical information in order to bring improvements
  • for the installation of necessary security updates to a device; and
  • to locate an individual in an emergency.

In order to rely on the exemption, the user must be given a simple means of objecting – this will therefore still require a means of managing a user’s preferences.

It is important to note that this will not permit use of third-party tracking cookies, such as the Facebook and LinkedIn pixels, which would still require consent.

UK organisations will need to consider how they continue to cater for a global audiences. UK visitors may be given the option to object to analytics cookies and EU visitors will have to be presented with a banner that requests consent.

Expansion of the soft opt-in rule for not-for-profit organisations

There is a widespread misconception that consent is always needed for email marketing.

For business to consumer marketing by electronic mail, an exemption, known as the ‘soft opt-in’, exists for commercial use, if specific conditions are met.

However, charities have been restricted to using this exemption for their commercial activities only.

For example, if they have an online shop, they have not been permitted to use supporter data gathered via the soft opt-in for fundraising purposes.

Under the DPDI, it’s proposed the soft opt-in exemption will be extended to non-commercial organisations and purposes.

This guide is made available under Creative Commons License (CC BY-NC-ND).