Nick Westbrook outlines the most significant areas of reform to the UK GDPR since it came into force in May 2018.
On 17 June 2022, the UK government published its refined plans for reforming UK data protection law, following a detailed consultation exercise undertaken last year.
The proposals form part of wider changes to the UK regulatory environment following the country’s departure from the European Union, and will see the first substantive reforms to the UK GDPR since it came into force in May 2018.
Overall, the fundamentals of the UK data protection regime will not change, and several of the more significant proposals in the consultation have been dropped.
Nevertheless, the UK intends to make a significant number of changes which, broadly speaking, emphasise proportionality and seek to encourage innovation and growth. In this article, we outline some of the most significant areas of reform.
Accountability and governance
The UK intends to revoke current requirements to appoint data protection officers, conduct data protection impact assessments, and maintain records of processing activities. Instead, organisations will need to implement a ‘privacy management programme’ (‘PMP‘).
The PMP is intended to introduce a ‘holistic’ approach to accountability, with the most robust approaches expected from those that process highly sensitive data or large volumes of high-risk data.
Amongst other things, the PMP will require the appointment of a suitable senior individual as responsible for the programme, continuous monitoring and improvement of existing measures, regular audits, risk assessment tools, and a personal data inventory.
Responding to concerns that further regulatory changes could be costly to implement, the UK government has confirmed that organisations which currently comply with the UK GDPR will not need to ‘significantly change’ their current approach in order to comply with the new regime.
In the immediate term, the UK intends to expand the scope of the current cookie consent exemptions. The full extent of these exemptions have not been confirmed, but they will include certain types of analytics cookies (which measure how users engage with a website).
Consistent with the government’s intention to reduce the burden of existing cookie consent banners on users, the longer-term plan is to enable cookies to be deployed without consent so long as users are given clear information on how to opt-out.
However, the UK will only make this change when solutions allowing individuals to manage their preferences are widely available, and it will not apply to websites likely to be accessed by children.
Significantly, the UK will also align the maximum fine threshold for breach of requirements relating to cookies (and other infringements of PECR) with the UK GDPR, suggesting that maximum fines will increase from the current amount of GBP 500,000 to GBP 17.5 million or 4% of global turnover.
Data breach reporting
Proposals to alter the existing threshold for when personal data breaches must be reported to the ICO have been dropped.
Instead, the UK government will work with the ICO to develop clearer guidance on when the existing notification requirement is triggered.
Lawful grounds for processing
A new list of processing activities for which organisations can rely on legitimate interests without applying the balancing test will be introduced.
However, the list will initially be limited to processing for defined public interest purposes, and additional safeguards may be implemented in respect of children’s data.
International data transfer mechanisms
The reforms will reinforce the importance of proportionality when assessing the risk of transferring data based on ‘alternative transfer mechanisms’ (for example standard contractual clauses).
This should enable organisations to take a more pragmatic approach when conducting transfer impact assessments following the Schrems II decision.
However, the UK will not move forward with proposals to allow organisations to create their own transfer mechanisms, nor to enable the repetitive use of derogations to the existing transfer regime.
The current adequacy regime will be modified in order to better enable the UK to adopt a risk-based approach when assessing the adequacy of third country regimes.
Reforms will also enable the UK to take account of the desirability of facilitating international data flows in adequacy assessments.
A new condition will be introduced to allow for the processing of special category data for the purpose of monitoring and correcting algorithmic bias in AI systems, subject to appropriate safeguards.
However, initial proposals to remove Article 22 of the UK GDPR, which deals with automated decision-making, will not be taken forward. Instead, the law will be clarified to make clear that Article 22 does not create a general prohibition, but instead provides a right to certain safeguards.
Key issues such as fairness and explainability in the context of AI systems will be addressed as part of the government’s upcoming white paper on AI governance.
Role of the UK ICO
The UK intends to take forward proposals to reform the ICO. In particular, the ICO will be required to have regard to competition, growth, innovation, and a statement of the UK government’s strategic priorities (‘SSP’), and to obtain approval from the UK government in respect of codes of practice and statutory guidance.
However, some concessions have been made in response to concerns around the impact of these changes on the ICO’s independence, for example by clarifying that the ICO will not be required to act in accordance with the SSP.
There will also be changes to the ICO’s current structure, processes for dealing with data subject complaints, and potentially a new name.
In May 2022, the Queen’s Speech indicated that the UK Government would bring forward a Data Reform Bill in order to reform the current UK data protection regime.
We expect that the legislative changes identified in the Response will be included in this.
The UK Government’s forthcoming white paper on AI is also expected to provide further insight into the UK’s intended approach in this area.
Nick Westbrook is a Senior Associate at Hogan Lovells, based in London.