6 data protection reforms you never knew you needed
11 Jul 2022
The UK government has published its response to the consultation “Data: a new direction”. The aims are admirable: Establishing the UK as an attractive global data marketplace, through greater (and more innovative) uses of personal data and reduced compliance burden (saving businesses £1bn over ten years) as well as empowering citizens.
Critics point to an inevitable spat (yes – another one!) with the EU about divergence on data protection rules, jeopardising UK-EU data flows. Or that “box-ticking” is simply the wrong way to look at the UK GDPR – after all, data protection is about preventing harms to people, and current rules help to keep businesses honest.
There’s a lot to unpack. But here’s my take on some of the most talked-about proposals.
1. You've probably got a PMP
What’s a PMP, I hear you ask? PMP stands for Privacy Management Programme. This will be a new legal requirement. Your PMP should cover oversight, policies and procedures, risk assessments, training and so on. Sound familiar? Well yes – because your current data protection compliance programme probably already covers this.
2. DPIAs by another name
Data Protection Impact Assessments (DPIAs) will be a thing of the past. Woo hoo! Hmm, not quite. You will still have to risk-assess some data projects. But you’ll be able to use different kinds of risk assessments appropriate to the project. In fact, this is already the approach supported by the ICO. True, they have published an optional DPIA template. But provided the aims of a DPIA are met – identification and mitigation of privacy risks – the ICO’s steer is that you have flexibility in the kind of risk assessment that suits the task at hand.
3. Think before binning your ROPAs!
Remember all your efforts in documenting your data flows and processing activities in 2018? The Record of Processing Activities (or ROPA) was a GDPR innovation to help organisations identify where data is, where it came from, where it goes, and what’s done with it. Prescriptive rules about how this should be done and how it should be documented are not helpful. As with the DPIA, I just don’t think that’s the current state-of-play.
Businesses who increasingly rely on data for their very existence absolutely must have their arms around this. To say otherwise is disingenuous. I’m seeing more demand from our clients for good documentation – not less focus on this.
-
4. Spam! Spam! Spam!
Have you heard of the “soft opt-in”? It allows businesses to send you unsolicited marketing emails if you’ve bought goods or services from them in the past. It doesn’t apply to not-for-profit organisations but the government proposes to change that (exactly what the criteria will be remains to be seen). Useful for fundraisers perhaps, but less so for other types of organisations, like pension scheme trustees. “Marketing” is currently interpreted very widely and may include, for example, sending newsletters or signposting members to financial advice services. In my view, it would be better to clarify that this type of activity, which is carried out in the best interests of members, is not considered marketing in the first place. (Side note – the maximum penalties for breaching electronic marketing rules will increase from £500,000 to £17.5m/4% of global turnover.)
5. No more annoying cookie popups!
Who else loves spending time on websites closing down relentless cookie pop ups? Yawn. Good news! They may be a thing of the past. Or will they? The government proposes that in the immediate-term, businesses using cookies for non-intrusive purposes will no longer have to display a popup. The measure seems targeted at non-intrusive analytics and performance cookies. In the longer term, the government intends to completely remove the requirement to display a cookie consent popup to UK residents and move to an “opt out” model when browser technology permits. There is an elephant in the room. Implicit in the “UK residents” qualification is that businesses who target customers in the EU will need to comply with EU rules. So businesses may need to reengineer their websites based on geographical markets, or they may need to establish where a customer is before deciding whether to display a popup. So be prepared to “share your location” when accessing a website in future. That’ll be less annoying, won’t it?
6. Why you might still need a “DPO” (unless you’re a pharmacist)
Ok, personal interest declared here! Employing the services of a DPO is an unnecessary and expensive overhead for some smaller businesses like an independent pharmacist, the government says. Many organisations will still have to appoint a senior individual responsible for data protection matters. But the requirements around qualifications, experience and independence may be watered down in law. Is that a good thing? Most respondents disagreed with this proposal. As an aside, a colleague mused whether onerous tax obligations on businesses should be relaxed to avoid the need to hire an accountant. I will leave you to ponder that one.
0 comments on this post