Data Protection in the UK: Get ready for another shake up
On the 10th September 2021, the Government published its vision for the future of data protection in the UK. ‘A new Direction’ heralds the new proposed regime we all may be responsible for upholding. In five parts it considers 74 potential changes that may impact on organisations that process personal data of those that reside in the UK. Some suggested amendments are quite good and are intended to lift the burden of compliance especially for smaller organisations. Some may unfortunately have the reverse effect creating more uncertainty.
It’s important to point out that these are only suggestions, there will be many twists and turns to follow with any changes not likely to become law until 2023. Here are a few for you to consider.
The obligation to undertake Data Protection Impact Assessment (DPIA) is potentially removed. The DPIA assist the controller in understanding the level of risk it creates for the data subject when processing their data. As the GDPR is a risk-based piece of legalisation this is clearly important. The new consultation says that it may not be necessary in the future to complete such an exercise in quite the way the GDPR prescribes, but risk must still be measured.
Recording keeping. The consultation says that the GDPR ‘Records of Processing Activities’ may not be followed if an effective alternative can be found. Record keeping which may include, what data you hold, what you do with it and where you keep it are essential information for any controller to understand. This may offer some flexibility when it comes to record keeping in the future. However, an effective alternative must be found.
The notion of a Privacy Management Programme is introduced. The proposed Programme should include all of your records of processing activities along with policies and risk assessments. It will need to be maintained and shared with the ICO upon demand. This is intended to centralise your documentation and will make it easier to demonstrate your compliance. You may find most of the requirements have already been completed, but it is likely that the ICO would publish guidance on how to structure such a programme.
The appointment of ‘Responsible Individuals’. A formal framework of staff that are responsible for processing activities in different department. This is likely to ensure a greater level of compliance from one department to another which may help with accountability. Perhaps there are regular meetings between the individuals to share and discuss concerns. It seems like a good idea to have a formal structure and would certainly help to develop a greater understanding of the challenges of compliance.
These are just a flavour of the changes that may be made to make data protection work better in the UK. Some changes will definitely help smaller organisations. Some changes remove some of the formality of the UK GDPR and are intended to empower organisations to make their own decisions. There are other suggested changes that might really help organisations be more compliant with their obligations. There are also new challenges. Just when you thought you understood the GDPR, ‘A New Direction’ could be the catalyst to the biggest shake up of UK data protection laws for a decade.