The second reading of the Data Protection and Digital Information Bill (the Bill) has been delayed following the election of the new Conservative Party leader. The new date is yet to be announced, but in the meantime, it is worth analysing some of the key changes the Bill proposes. While it promises more flexibility and less ambiguity, practically speaking, the Bill may not represent a fundamental divergence from the current regime.
The proposed changes are:
|Current regime||Bill proposals|
|Designation of a Data Protection Officer (DPO) – Article 37 UK GDPR||Appointment of senior individual responsible for data protection – Clause 14|
|Requirement to undertake Data Protection Impact Assessments (DPIAs) – Article 35 UK GDPR||Implementation of risk assessment tools – Clause 17|
|Maintenance of records of processing – Article 30 UK GDPR||More flexible record keeping – Clause 15|
|Lawfulness of processing – Article 6 UK GDPR||New ground for processing: recognised legitimate interest – Clause 5|
The proposals in detail
- Organisations would be required to appoint one individual from their senior management to be responsible for managing their data protection risks instead of a DPO. This will only be needed when the controller or processor is a public body (except courts or tribunals in their judicial capacity) or when the processing is likely to pose a high risk to individuals.
The details of this responsible individual will still have to be publicly available and sent to the ICO. Moreover, their responsibilities under Clause 14 mirror those of Articles 37 to 39 UK GDPR. The role may be performed by the current DPO, although the requirement for them to be part of the organisation restricts the ability to appoint someone external. However, delegation of tasks to another person is permitted so that outsourcing of functions ought to be possible and may be necessary in circumstances where there is a conflict of interests affecting the senior responsible individual. In practice, conflicts of interest might arise where the senior responsible individual has played an executive role in relation to decisions or practices relevant to compliance, meaning that they could not objectively and independently advise on those issues.
- Instead of DPIAs, organisations will have to implement a risk assessment programme to assess, identify, and mitigate risks. DPIAs will be amended to “Assessments of high risk processing” and the requirements of Article 35 UK GDPR omitted or amended accordingly.
The assessment will still need to discuss the necessity of processing as well as risks to individuals and mitigation. While the UK GDPR required a “systematic description” of the processing, the Bill only requires a “summary of the purposes of processing.” Thus, while requirements are virtually the same, the new, more general wording grants greater flexibility to meet them.
- More flexibility to produce records of processing of personal data. The information to be included under the Bill reflects the same requirements as Article 30 UK GDPR. However, the Bill provides guidance on what factors organisations will need to consider to determine if they are keeping “appropriate records.” These include the resources available to the controller or the processor. This suggests that the approach to compliance can be tailored depending on the size and capacity of the organisation.
- A new ground for data processing will be created. Processing will be lawful where it is necessary for a recognised legitimate interest, as defined in the New Annex 1 to the UK GDPR. This new ground will only be available to controllers who are not public authorities or to public authorities that are not processing personal data in the performance of their tasks.
The list of recognised legitimate interests includes: safeguarding national security, public security, and defence; safeguarding of vulnerable individuals, including children; democratic engagement; and the prevention of crime and apprehension and prosecution of offenders. Thus, while useful, recognised legitimate interest is not likely to be a ground applicable for day-to-day data processing for many businesses.
The government has recognised that organisations that are currently compliant with UK GDPR will not have to take significant action to adapt to the new requirements unless they wish to benefit from the added flexibility.
While accountability remains at the centre, the Bill attempts to address the disproportionate burden that current GDPR requirements place on some organisations. The consultation ‘Data: a new direction’ showed that organisations predicted that this new approach could help them focus their resources more effectively. However, considering the similarities between both texts, there might not be as much room for change as expected.