{"id":36783,"date":"2022-06-23T10:00:00","date_gmt":"2022-06-23T10:00:00","guid":{"rendered":"https:\/\/cloudnewshub.com\/archives\/36783"},"modified":"2022-06-23T10:00:00","modified_gmt":"2022-06-23T10:00:00","slug":"what-will-the-data-reform-bill-mean-for-uk-businesses-operating-in-the-eu","status":"publish","type":"post","link":"https:\/\/cloudnewshub.com\/?p=36783","title":{"rendered":"What will the Data Reform Bill mean for UK businesses operating in the EU?"},"content":{"rendered":"<div><img decoding=\"async\" src=\"http:\/\/cloudnewshub.com\/wp-content\/uploads\/2022\/06\/what-will-the-data-reform-bill-mean-for-uk-businesses-operating-in-the-eu.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<p><a href=\"https:\/\/www.computerweekly.com\/news\/252518054\/Data-Reform-Bill-announced-in-Queens-Speech\">At the state opening of parliament on 10 May<\/a>, the Prince of Wales announced the government\u2019s intention to reform the UK\u2019s data protection regime. Since Brexit, this has comprised two complementary laws \u2013 the <a href=\"https:\/\/www.techtarget.com\/whatis\/definition\/General-Data-Protection-Regulation-GDPR\">UK GDPR<\/a> (General Data Protection Regulation) and the DPA (Data Protection Act) 2018.<\/p>\n<p>The UK GDPR applies both to UK organisations that collect, store or otherwise process the personal data of individuals residing in the UK, and to non-UK organisations that offer goods or services to, or monitor the behaviour of, UK residents. As its name suggests, the UK GDPR is based on, and is substantially similar to, the EU GDPR, which applied in the UK before Brexit.<\/p>\n<p>The DPA 2018 supports the UK GDPR and applies to certain types of processing that are outside the Regulation\u2019s scope, including processing by public authorities. The DPA 2018 also sets out data processing regimes for law enforcement processing and intelligence processes.<\/p>\n<p>The GDPR originated in the EU \u2013 albeit with significant input from UK experts and the UK\u2019s data protection authority, the Information Commissioner\u2019s Office (ICO) \u2013 so Boris Johnson\u2019s government, elected on a promise of getting Brexit done and cutting EU red tape, has long earmarked it for reform.<\/p>\n<p>According to the official briefing notes for the Queen\u2019s Speech, reforming the UK GDPR and DPA 2018 should \u201ccreate over \u00a31bn in business savings over 10 years by reducing burdens on businesses of all sizes\u201d, such as \u201cexcessive paperwork\u201d and other obligations that have \u201clittle benefit to citizens\u201d.<\/p>\n<p>The outcome of the Department for Digital, Culture, Media and Sport consultation on data protection reform <a href=\"https:\/\/www.computerweekly.com\/news\/252521645\/Government-responds-to-Data-Reform-Bill-consultation\">has now been published<\/a> and the principal recommendations that will be carried through to legislation are now known.<\/p>\n<p>In essence, these proposals seek to lessen the administrative burden on organisations (reducing \u201cred tape\u201d), while maintaining an adequate level of protection for individuals\u2019 rights.<\/p>\n<p>The key requirements are as follows.<\/p>\n<section class=\"section main-article-chapter\" data-menu-title=\"Organisations must implement privacy management programmes\">\n<h3 class=\"section-title\"><i class=\"icon\" data-icon=\"1\"><\/i>Organisations must implement privacy management programmes<\/h3>\n<p>Maintaining the principle of accountability is key, and this is intended to be maintained by implementing a privacy management programme, which needs to be proportional to the risk created by the organisation\u2019s data protection processing activities.&nbsp;The government believes that such programmes \u201cwill place greater emphasis on the principles at the core of accountability, such as organisational responsibility; risk management; transparency; training and awareness of staff; and continuous monitoring, evaluation and improvement of data protection management within an organisation\u201d.<\/p>\n<p>In practice, this is often the approach already taken by larger or more complex organisations. This broader approach is to be welcomed, as it will encourage the many smaller organisations that perhaps currently do not do enough to review and modify their practice in order to introduce a more appropriate data protection programme.<\/p>\n<\/section>\n<section class=\"section main-article-chapter\" data-menu-title=\"Removal of the requirement to designate a DPO\">\n<h3 class=\"section-title\"><i class=\"icon\" data-icon=\"1\"><\/i>Removal of the requirement to designate a DPO<\/h3>\n<p>Article 37 of the UK GDPR requires a <a href=\"https:\/\/www.computerweekly.com\/opinion\/What-has-a-year-of-home-working-meant-for-the-DPO\">data protection officer<\/a> (DPO) to be appointed in certain specific circumstances. Currently, it is not mandatory for the vast majority of UK organisations to appoint a DPO.<\/p>\n<p>A data protection officer is responsible for:<\/p>\n<ul class=\"default-list\">\n<li>Representing or delegating a representative to the ICO and data subjects.<\/li>\n<li>Ensuring appropriate oversight and support is in place for the programme and appointing appropriate personnel.<\/li>\n<li>Providing tailored training to ensure staff understand the organisation\u2019s policies.<\/li>\n<li>Regularly auditing the efficacy of the programme.<\/li>\n<\/ul>\n<p>The new proposal is that organisations must appoint a \u201csenior responsible individual\u201d as a data protection officer. The government hopes that this \u201cwill shift the emphasis to ensure data protection is established at a senior level to embed an organisation-wide culture of data protection\u201d.<\/p>\n<p>While this is a \u201cheadline\u201d proposal, it probably will not make a substantial difference to the administrative burden for many organisations. The key challenge will be to ensure that the \u201csenior responsible individual\u201d has a suitable working knowledge of the law and data protection to effectively undertake their duties.<\/p>\n<p>In practice, we are sure that many organisations will continue to delegate the detail of managing their data protection programmes to experienced professionals. The government suggests that \u201csome organisations that process large volumes of highly sensitive data might continue to appoint and resource data protection officers where they consider that is the best way to monitor and improve compliance\u201d.<\/p>\n<\/section>\n<section class=\"section main-article-chapter\" data-menu-title=\"A more flexible approach to DPIAs\">\n<h3 class=\"section-title\"><i class=\"icon\" data-icon=\"1\"><\/i>A more flexible approach to DPIAs<\/h3>\n<p>Article 35 of the UK GDPR requires organisations to carry out a <a href=\"https:\/\/www.techtarget.com\/searchcio\/definition\/data-protection-impact-assessment-DPIA\">data protection impact assessment<\/a> (DPIA) when a type of processing is likely to result in a high risk to data subjects\u2019 rights and freedoms. The government is legislating to remove the mandatory requirement to undertake DPIAs for high-risk processing, as it believes that \u201cdata protection impact assessments can be a more prescriptive duplication of other risk assessments that achieve the same outcome performed within an organisation; for example, organisations which have compliance teams performing wider risk analysis which sometimes ends up duplicating some of the requirements under the data protection impact assessment requirement\u201d.<\/p>\n<p>Other than a DPIA or specific privacy risk programme, it is extremely rare to find any risk assessment in an organisation that recognises the risks to individual data protection rights. For this reason, it is highly unlikely that this change will be material. In fact, it may actually increase the administrative burden on organisations by extending the requirement to \u201censure there are risk assessment tools in place for the identification, assessment and mitigation of data protection risks across the organisation\u201d as part of their privacy management programme.<\/p>\n<p>However, the increased focus on formal risk assessments that this legislation will inevitably bring is welcome.<\/p>\n<\/section>\n<section class=\"section main-article-chapter\" data-menu-title=\"Changes to the requirement to keep records of data processing activities\">\n<h3 class=\"section-title\"><i class=\"icon\" data-icon=\"1\"><\/i>Changes to the requirement to keep records of data processing activities<\/h3>\n<p>Article 30 of the UK GDPR requires data controllers to keep specific records of their data protection processing. The government will legislate to replace this requirement with a more general requirement where \u201corganisations will need to have personal data inventories as part of their privacy management programme which describe what and where personal data is held, why it has been collected and how sensitive it is\u201d.<\/p>\n<p>Superficially, this would appear to be a simplification of the existing requirement, removing the need to document some of the existing characteristics of the processing \u2013 for example, envisaged time limits, international transfers and appropriate safeguards. However, in practice, many of these attributes will still have to be maintained for an effective privacy management programme and associated risk assessments.&nbsp;It is hard to envisage how this proposal constitutes a material saving in administration for organisations and, sadly, looks like rearranging the deckchairs.<\/p>\n<\/section>\n<section class=\"section main-article-chapter\" data-menu-title=\"Other GDPR-related changes\">\n<h3 class=\"section-title\"><i class=\"icon\" data-icon=\"1\"><\/i>Other GDPR-related changes<\/h3>\n<p>There are several other changes to the existing GDPR-based regime being legislated that will not have a significant impact on the vast majority of organisations. These include a change from mandatory to voluntary consultations with the ICO in relation to new high-risk data processing, and changing the current threshold for refusing or charging a reasonable fee for a subject access request from \u201cmanifestly unfounded or excessive\u201d to \u201cvexatious or excessive\u201d, which will bring it into line with the Freedom of Information regime.<\/p>\n<\/section>\n<section class=\"section main-article-chapter\" data-menu-title=\"Changes to PECR and cookies\">\n<h3 class=\"section-title\"><i class=\"icon\" data-icon=\"1\"><\/i>Changes to PECR and cookies<\/h3>\n<p>The consultation also focused heavily on reviewing the controls introduced by the Privacy and Electronic Communications Regulations (PECR) \u2013 in particular, the requirement to display <a href=\"https:\/\/www.computerweekly.com\/news\/252512832\/Mechanism-underlying-cookie-popups-found-in-breach-of-GDPR\">cookie banners on websites<\/a>.<\/p>\n<p>The government will introduce legislation to remove the need for websites (and other connected devices) to display cookie banners to UK residents and \u201cin the immediate term, the government will permit cookies (and similar technologies) to be placed on a user\u2019s device without explicit consent, for a small number of other non-intrusive purposes\u201d. The example quoted is for website analytics.&nbsp;<\/p>\n<p>Interestingly, the government will also require websites to respect automated signals emitted by browsers and intends \u201cto move to an opt-out model of consent for cookies only when the government assesses these solutions are widely available for use\u201d.<\/p>\n<p>Anything that provides greater clarity for organisations on where cookies can be used without specific consent is to be welcomed. However, it is not yet clear what will be allowed. We imagine that privacy-intrusive cookies \u2013 such as those that track an identifiable user\u2019s behaviour or allow cross-site marketing \u2013 will still require active consent and therefore a banner. I also see the requirement to respect \u201cdo not track\u201d signals from browsers as useful clarity.<\/p>\n<p>There is welcome news for charities and other non-commercial organisations, which will be permitted to benefit from the so-called \u201csoft-opt-in\u201d. This will allow an opt-out regime for marketing communications but \u201cin parallel, will take steps to make sure that appropriate safeguards are in place to protect individuals who do not wish to continue receiving communications\u201d.<\/p>\n<p>Perhaps the most encouraging element of this proposal is the government\u2019s intention to introduce the same level of fines for breaches of the PECR as for the GDPR. This will bring the threat of a 4% global turnover fine for cookie misbehaviour clearly into focus, along with other bad marketing communications practices.<\/p>\n<\/section>\n<section class=\"section main-article-chapter\" data-menu-title=\"International data transfers\">\n<h3 class=\"section-title\"><i class=\"icon\" data-icon=\"1\"><\/i>International data transfers<\/h3>\n<p>Currently, the rules regarding international data transfers under the GDPR-equivalent legislation can be highly complex to manage. The government intends to move away from the existing GDPR-based structures and \u201cintends to create an autonomous framework for international data transfers that reflects the UK\u2019s independent approach to data protection, that helps drive international commerce, trade and development and underpins modern-day business transactions and financial institutions. The UK\u2019s approach will be driven by outcomes for individuals and organisations\u201d.<\/p>\n<p>This is probably the most contentious area to be addressed in the proposed legislation. It is clearly an area where the UK intends to move out of alignment with the current adequacy arrangements and therefore is likely to be subject to intense scrutiny, particularly if the suggested changes will allow the data of UK citizens to travel more easily (and less transparently) to counties with less rigorous data protection regimes \u2013 potentially lowering the overall level of data protection currently afforded to data subjects.&nbsp;<\/p>\n<\/section>\n<section class=\"section main-article-chapter\" data-menu-title=\"Conclusions\">\n<h3 class=\"section-title\"><i class=\"icon\" data-icon=\"1\"><\/i>Conclusions<\/h3>\n<p>When looked at in detail, the proposed, individual changes do not appear to be as significant as their whole might suggest. It is highly likely that organisations will still have to undertake very similar levels of administration. For example, should the requirements in Article 35 change and DPIAs are replaced, this may be exceeded by the need for organisations to have a demonstrable and proportionate privacy management system. The shift to a more centralised and cohesive risk assessment regime is welcomed, as is clarity on cookies and the big uplift in fines for breaching the PECR.<\/p>\n<p>To fully understand the impact on individuals\u2019 rights, we will need to wait for more detail. However, the general principles of the proposal would appear to support these rights and continue to ensure that organisations are fully responsible for their implementation.&nbsp; The ones to watch, where there may be a risk of eroding individual rights, include the specifics on allowable cookies and details on international transfers.<\/p>\n<p><em><a href=\"https:\/\/urldefense.proofpoint.com\/v2\/url?u=https-3A__eur03.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Furldefense.proofpoint.com-252Fv2-252Furl-253Fu-253Dhttps-2D3A-5F-5Fwww.linkedin.com-5Fin-5Fgaldies-5F-2526d-253DDwMFAw-2526c-253DtEbGsWWjqkBSpaWdXc-5FmdMSanI1bDu-2DFKXiKGCfVmPM-2526r-253DOtdtH4YHQibTAzHjZLHmgv1-2DClJ6pexybHUB-2DdtxpJ4-2526m-253Ddw52Ajvs-2DcXY0q-2D0gQqO3OuouHsBoea8Tfe59QAZrXY-5FoLLGJHHRkzvds45stfTW-2526s-253DJoC1f-2DUZUtbtANc8HZ1S0M0QhefyRbhla5YJ3HKM-2DPU-2526e-253D-26data-3D05-257C01-257Ctspillman-2540grci.group-257Cc618668f04ce4f23938608da5037b198-257Ce8a075179cb94a9f8c12338d3c3eddcd-257C0-257C0-257C637910497914292326-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C3000-257C-257C-257C-26sdata-3DJ9EaBIMhdaMnqLAXESoo-252BCAeeoSagostRZnKvXDmJ0s-253D-26reserved-3D0&amp;d=DwMFAw&amp;c=tEbGsWWjqkBSpaWdXc_mdMSanI1bDu-FKXiKGCfVmPM&amp;r=OtdtH4YHQibTAzHjZLHmgv1-ClJ6pexybHUB-dtxpJ4&amp;m=OrgO3KJF2AlnVssQNnm8FuqfKok5YfQW1m5V1hJE0tURx_cAUkdg3bBL9YqYAi9n&amp;s=f1jFAtIwU8FzPkcYoBf4NZqWIU5rPoZZ-vPyJyPoexQ&amp;e=\">Peter Galdies<\/a>&nbsp;is founder and senior consultant at&nbsp;<a href=\"https:\/\/urldefense.proofpoint.com\/v2\/url?u=https-3A__eur03.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Furldefense.proofpoint.com-252Fv2-252Furl-253Fu-253Dhttps-2D3A-5F-5Fwww.dqmgrc.com-5F-2526d-253DDwMFAw-2526c-253DtEbGsWWjqkBSpaWdXc-5FmdMSanI1bDu-2DFKXiKGCfVmPM-2526r-253DOtdtH4YHQibTAzHjZLHmgv1-2DClJ6pexybHUB-2DdtxpJ4-2526m-253Ddw52Ajvs-2DcXY0q-2D0gQqO3OuouHsBoea8Tfe59QAZrXY-5FoLLGJHHRkzvds45stfTW-2526s-253DVaxDfZG0ti7rbBdKdq8HolK9h-5F5cb65Bkd4hdH1THmg-2526e-253D-26data-3D05-257C01-257Ctspillman-2540grci.group-257Cc618668f04ce4f23938608da5037b198-257Ce8a075179cb94a9f8c12338d3c3eddcd-257C0-257C0-257C637910497914292326-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C3000-257C-257C-257C-26sdata-3D8gug7sZatRi6ojjEPrJ225-252BE-252BQ-252BXZaSXXJqpPM3mULU-253D-26reserved-3D0&amp;d=DwMFAw&amp;c=tEbGsWWjqkBSpaWdXc_mdMSanI1bDu-FKXiKGCfVmPM&amp;r=OtdtH4YHQibTAzHjZLHmgv1-ClJ6pexybHUB-dtxpJ4&amp;m=OrgO3KJF2AlnVssQNnm8FuqfKok5YfQW1m5V1hJE0tURx_cAUkdg3bBL9YqYAi9n&amp;s=7TieY15XSlTOG9l7mzrXRt6ZOSDhQdKzJMQWLkf2vhw&amp;e=\">DQM GRC<\/a>. <\/em><em>He is a data and technology professional with over 30 years\u2019 experience, providing expert advice on implementing privacy in real business situations with a particular emphasis on privacy-by-design. <\/em><em>DQM GRC is a specialist data protection and privacy consultancy. It is part of GRC International Group and has 25 years\u2019 experience in data regulation and practices.<\/em><\/p>\n<\/section>\n","protected":false},"excerpt":{"rendered":"<p>At the state opening of parliament on 10 May, the Prince of Wales announced the government\u2019s intention to reform the UK\u2019s data protection regime. Since Brexit, this has comprised two complementary laws \u2013 the UK GDPR (General Data Protection Regulation) and the DPA (Data Protection Act) 2018. The UK GDPR applies both to UK organisations [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":36784,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[533],"tags":[],"class_list":["post-36783","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-it"],"_links":{"self":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/36783","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=36783"}],"version-history":[{"count":0,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/36783\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/media\/36784"}],"wp:attachment":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=36783"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=36783"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=36783"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}