Data Reform Bill

Significant reforms to the UK’s data protection regime will be introduced by a Data Reform Bill.

According to the government’s press release, the Bill will:

‘remove the UK GDPR’s prescriptive requirements giving organisations little flexibility about how they manage data risks - including the need for certain organisations, such as small businesses, to have a Data Protection Officer (DPO) and to undertake lengthy impact assessments. It means a small business … won’t have to recruit an independent DPO to fulfil the requirements of UK GDPR, provided they can manage risks effectively themselves, and they will not have to fill out unnecessary forms where the risk is low. Organisations will still be required to have a privacy management programme to ensure they are accountable for how they process personal data. The same high data protection standards will remain but organisations will have more flexibility to determine how they meet these standards.’

The Data Protection and Digital Information Bill has now been published. It contains provisions which amend rather than replace the existing UK GDPR and Data Protection Act 2018. The House of Commons Library has published a research briefing on the Bill. In more detail the Bill’s proposals as they affect employers, specifically where HR deals with data protection issues, are as follows:

Privacy management programmes (PMPs)

The government wants to introduce a more flexible accountability framework, underpinned by ‘privacy management programmes’ (PMPs). The steps an organisation would be required to take to implement an effective PMP would reflect the volume and sensitivity of the personal data involved. The PMP approach would be based on a number of elements at the core of accountability, such as leadership and oversight, risk assessment, policies and processes, transparency, training and awareness of staff, and monitoring, evaluation and improvement.

To support the implementation of PMPs, the government also propose removing the existing requirements to:

  • designate a data protection officer
  • undertake data protection impact assessments and
  • maintain a record of processing activities

In their place, the government propose complementary measures under the PMP, such as:

  • appointing a suitable senior individual to be responsible for the programme
  • ensuring organisations implement risk assessment tools which help assess, identify and mitigate risks, and
  • a more flexible record keeping requirement

The consultation response states that ‘organisations that are currently compliant with the UK GDPR would not need to significantly change their approach to be compliant with the new requirements, unless they wanted to take advantage of the additional flexibility that the new legislation will provide’.

As to fears that PMPs will lead to a potential lowering of standards, the consultation response states that:

‘under the revised regime, organisations will have to implement a privacy management programme based on the level of processing activities and the volume and sensitivity of personal data they handle. Therefore, organisations that process highly sensitive data (i.e. special category data) or large volumes of high-risk data, will be expected to have the most robust approaches to accountability. The government believes that privacy management programmes will place greater emphasis on the principles at the core of accountability such as organisational responsibility; risk management; transparency; training and awareness of staff; and continuous monitoring, evaluation and improvement of data protection management within an organisation’.

The PMP requirement will also be subject to the same sanctions as under the current regime, carrying maximum fines of the greater of £8.7m or 2% of annual worldwide turnover.

Removal of DPOs

Despite most respondents to the consultation disagreeing with the proposal to remove the requirement to designate a DPO, the government intends to press ahead with this in the Bill and require organisations instead to appoint a senior responsible individual.

Most of the tasks of a DPO will become the ultimate responsibility of such an individual to oversee as part of the PMP. The designated senior individual’s role will include:

  • representing or delegating a representative to the ICO and data subjects
  • ensuring appropriate oversight and support is in place for the programme and appointing appropriate personnel
  • providing tailored training to ensure staff understand the organisation’s policies
  • regularly auditing the efficacy of the programme

Removal of data protection impact assessment

Again, despite most respondents to the consultation disagreeing with the proposal to remove the requirement to undertake data protection impact assessments, the government intends to press ahead with this in the Bill.

Under the new PMP, organisations will still be required to identify and manage risks, but they will be given greater flexibility as to how to meet these requirements. For example, organisations will no longer be required to undertake data protection impact assessments as prescribed in the UK GDPR but they will be required to ensure there are risk assessment tools in place for the identification, assessment and mitigation of data protection risks across the organisation. Organisations may wish to continue to use data protection impact assessments but tailor them based on their processing activities. Existing data protection impact assessments will remain valid as a way of achieving the new requirement.

Removal of the record of processing activities requirement

Similarly, most respondents to the consultation disagreed with the proposal to remove this requirement but, again, the government is to press ahead with this in the Bill.

Organisations will need to have personal data inventories as part of their PMP which describe what and where personal data is held, why it has been collected and how sensitive it is, but they will not be required to do so in the way prescribed by the requirements set out in Article 30 of the GDPR. PMPs will still require organisations to document the purposes of processing, but in a way which is more tailored to the organisation. The government believes that providing a new framework which encourages organisations to focus on the design of their privacy management programme, rather than meet a prescriptive tick box list, will also lead to greater transparency practices.

Prior consultation requirements

Currently under the GDPR, if organisations identify a data processing activity which poses high risks which cannot be mitigated, they must inform the ICO.

The Bill will remove this mandatory requirement in favour of a voluntary mechanism. Such voluntary prior consultation with the regulator will become a mitigating factor which the ICO may take into account when taking any enforcement action against an organisation.

Subject access requests (SARs)

Currently, employers can only refuse to provide the information requested in a SAR or charge a ‘reasonable fee’ if an exemption or restriction applies, or if the request is ‘manifestly unfounded or excessive’.The Bill amends this threshold from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’. It would be for organisations to determine if the ‘vexatious’ threshold is satisfied. However, to assist employers, the Bill lists a number of relevant circumstances to be considered, similar to those already listed in the ICO's guidance. The Bill also provides concrete examples of ‘vexatious’ requests, among which are those intended to cause distress, which are not made in good faith, or which constitute an ‘abuse of process’.