The UK Government has introduced a Data (Use and Access) Bill (https://bills.parliament.uk/bills/3825) which includes some updates to UK GDPR.
Whilst some media are touting this as a reform of UK GDPR (like the previous Tory Data Protection & Digital Information Bill), it only touches a few aspects of UK data protection. The underlying intention of the Bill is to make sharing data easier for certain organisations (e.g. the police, NHS) with the aim of “kickstarting economic growth” (with an expection of generating £10bn towards the economy) and “building an NHS fit for the future”.
Aside from these key aims of the Bill though, it does include some updates to UK data protection, which could impact most UK businesses. So, if the Bill succeeds through Parliament and is passed (it’s currently at the time of writing at the House of Commons Committee report stage), this is how the Bill could impact you:
Subject access requests
-
- The ability for organisations to “stop the clock” on subject access requests if more information is needed or the identity of the requester needs verifying. This will adjust the time in which the request has to be dealt with
- The Bill also sets out that requests need to be “reasonable and proportionate”
Right to portability
-
- The direct sharing of data between certain authorised organisations or regulated third parties (e.g. banks, energy providers, telecoms, mortgages, insurance, etc.)
Right to be informed
-
- The removal of the need to provide privacy information if it “is impossible or would involve disproportionate effort” (although it will need to be clear how this is defined otherwise it could be seen as weakening the right to be informed)
Legitimate interest as a lawful basis
-
- The introduction of “recognized legitimate interests” meaning Legitimate Interest Assessments (LIA) won’t be needed for certain legitimate interest processing
- Clarity regarding the use of legitimate interest for marketing purposes
Automated decision making
-
- Changes to the restrictions of relying on automated decision making processes (e.g. when using AI) which has a legal impact on the individual. The condition in UK GDPR maybe reduced to only apply to processing of special category data
Complaint handling
-
- Introduction of measures regarding data protection complaint handling. Businesses could be required to provide a complaints process, respond to complaints within 30 days and notify the ICO of the number of complaints received
Changes to the ICO
-
- The ICO to become the Information Commission which operates along the same lines as the FCA and Competitions and Markets Authority, with more government influence
Changes to the Privacy and Electronic Communications Regulations (PECR)
-
- Increasing PECR fines to be in line with GDPR fines (currently PECR fines are capped at £500k)
- Allowing the use analytics and some authorized cookies without consent
- Changing the definition of unsolicited “spam” emails to include messages even if they were not received by someone (thus expanding the volume to be considered by enforcement of the PECR rules)
More information about the Bill and its passage through Parliament can be found here: https://bills.parliament.uk/bills/3825.