UK data protection law reform advocates ‘privacy management’

Many of the proposed reforms are targeted at the accountability framework that is built into the UK General Data Protection Regulation (GDPR) currently.

The Department for Digital, Culture, Media and Sport (DCMS) said the existing accountability rules “may be generating a significant and disproportionate administrative burden, and leading organisations to misdirect time and energy away from the activities that ensure the responsible use of personal data in a specific context”, and further “putting a particularly disproportionate burden on SMEs and organisations that undertake low risk processing”.

The need for businesses to carry out data protection impact assessments (DPIAs) and consult the UK’s Information Commissioner’s Office (ICO) in relation to high-risk personal data processing that cannot be mitigated are among the provisions that would be removed from legislation under the proposals. Existing record keeping duties would also be replaced with more flexible requirements that the government said would better reflect “the volume and sensitivity of the personal information” businesses handle.

The government is also proposing to tackle “over-reporting” of personal data breaches by increasing the threshold for notifying the ICO of such incidents. Under those proposals, organisations would have to report a breach unless the risk to individuals is “not material”. DCMS said it would “encourage the ICO to produce guidance and examples of what constitutes a ‘non material’ risk, as well as to produce examples of what is and what is not reportable, in order to assist organisations”.

Further changes being considered include the introduction of “a fee regime … for access to personal data held by all data controllers” to address the burdens entailed in handling subject access requests.

The revamped accountability framework envisaged by the UK government would be built around more flexible and risk-based “privacy management programmes”. DCMS said this form of accountability is already provided for in some other jurisdictions, such as Singapore, Australia and Canada, and offers businesses that implement those programmes successfully “competitive benefits and reputational advantages”.

“This proposal would require an organisation to develop and implement a risk-based privacy management programme that reflects the volume and sensitivity of the personal information it handles, and the type(s) of data processing it carries out,” the government said. “A privacy management programme would include the appropriate personal information policies and processes for the protection of personal information.”

“A privacy management programme is a framework intended to help an organisation establish a robust and risk-based approach to data protection management, which is embraced and embedded throughout its activities. Privacy management programmes are based on a number of elements at the core of accountability, such as: leadership and oversight, risk assessment, policies and processes, transparency, training and awareness of staff, and monitoring, evaluation and improvement,” it said.

The proposed changes to the UK data protection regime, as trailed by the government last month, also include a raft of measures to “reduce barriers” to responsible data-related innovation.

The government is looking to simplify the “complex, dispersed and layered” provisions currently relating to the use of personal data for research purposes, including making it clearer how the data can be used for scientific research. The ICO is currently developing guidance to “provide greater clarity for researchers on the various research provisions” under existing legislation, but the government said legislative reform is required to deliver “full benefits”.

The government is considering establishing “a new, separate lawful ground for research, subject to suitable safeguards” and wants to update the law to enable researchers to use individuals’ personal data on the basis of their consent even if “it is not possible to fully identify the purpose of personal data processing at the time of data collection”. Further reforms proposed would enable “the further use of data for research purposes” when it was collected for a separate purpose.

Further proposals aim to address what the government described as “consent fatigue” by clarifying the circumstances in which businesses will be able to rely on their ‘legitimate interests’ for processing personal data.

Businesses can already rely on this provision providing their interests in processing personal data do not unduly prejudice the rights and freedoms of individuals. However, the government plans to “create a limited, exhaustive list of legitimate interests for which organisations can use personal data” without having to apply the current balancing test involved in considering individuals’ rights and freedoms. It said this would give organisations “more confidence to process personal data without unnecessary recourse to consent”.

Examples of data processing activities that could be included on the new legitimate interests list were cited in the government’s consultation paper. While it said the balancing test for processing children’s data under the legitimate interests provisions would be retained, it could be removed for processing envisaged for monitoring, detecting or correcting bias in relation to developing AI systems, using audience measurement cookies or similar technologies to improve web pages that are frequently visited by service users, improving or reviewing an organisation’s system or network security and for the use of personal data for internal research and development purposes or business innovation purposes aimed at improving services for customers.

In a boost for the emerging concept of data stewardship, including potential data trust models, the government said it would “like to better understand the lawful grounds that might be used for the stewardship activities performed by data intermediaries, as well as the conferring of data processing rights and responsibilities to those data intermediaries”. It added that it is “exploring under what circumstances consent might be the only appropriate lawful ground, and what predefined criteria would have to be met to remove the need for recourse to consent”.

“Businesses – particularly SMEs – will be likely to welcome many of these proposals, particularly attempts to limit the administrative burden regarding issues such as data breaches and DPIAs,” said data protection law expert Jonathan Kirsop of Pinsent Masons, the law firm behind Out-Law. “Reforms regarding the ease with which data subject access requests can be made will also be interesting to companies who are often receive these for ulterior motives in the context of wider disputes and grievances.”

“That said, the UK GDPR is already predicated largely on a set of risk-based principles and the principle of proportionality. There could be a risk that some proposed reforms – such as greater prescription as to what constitutes “legitimate interests” – could go too far in diluting data subject’s rights while giving businesses – in practice – less flexibility as to how they comply,” he said.

Claire Edwards, also of Pinsent Masons, said: “Global businesses may find the UK’s move to a privacy management system of accountability of limited benefit given their need in parallel to continue to comply with the EU GDPR full accountability framework. However, we would hope that a more practical approach could also be considered by EU policy makers. Anything which moves compliance into practical steps which ensure protection of data for individuals rather than endless paperwork has to be helpful for business.”

“The ability to charge for subject access requests will bring a cheer in many areas where data subject requests have given businesses an extremely heavy disclosure burden which far outweighs the benefit to individuals in many cases, where persons often look to obtain data either as a means of pre-litigation disclosure or in some cases for nuisance factors. What we do need to ensure, however, is that the right to charge, and the removal of cookies banners as has also been proposed, does not mean that transparency over the use of individual’s data is hidden behind high level principles set out in data protection policies and that it acts to limit access or undermines individuals’ right to understand the processing of their data,” she said.

Though the DCMS consultation focuses predominantly on reforms to the UK’s data protection framework, other data-related reforms are being considered – including potentially radical amendments to regulations governing the use of cookies.

The government has estimated that the proposed reforms could deliver “a net direct monetised benefit” of more than £1 billion over 10 years, which it said would be “driven by removing barriers to responsible data use and reducing business burdens”.