Originally introduced to Parliament in July 2022, the DPDI (Data Protection and Digital Information Bill 2022-23) has been refreshed, reintroduced and is poised to move to the House of Lords for consideration.
Flexibility is welcome, but confidence is key
TLD Client Legal Director, Amanda Mallender, is acutely aware of the challenges these legislative changes could bring to SMEs who have been grappling with the complexities of GDPR compliance for years. But she has some good news for smaller businesses,
“With a few notable exceptions (for example, tightening the rules on cold marketing), the aim of these legislative changes is to lighten the administrative burden on businesses. In doing this the Government has to walk a tightrope because it can’t risk moving too far from the high data protection standards our European counterparts expect. If you are already compliant with data protection laws, this Bill shouldn’t be much of a concern, but your business may be able to take advantage of the greater flexibility being offered in some key areas.”
While we wait for the DPDI to be passed, here is Amanda’s overview of the key changes and some points for SMEs to consider.
Clarity on the use of legitimate interest as a justification for data processing
The DPDI Bill recognises a number of circumstances where legitimate interest can now be relied upon. These include national security, public security and defence; responding to civil emergencies, crime, safeguarding vulnerable individuals and democratic engagement. This is great news for charities and non-profits working with vulnerable people.
What to do now:
Consider whether you can simplify your data collection process by removing the need for consent and instead rely on legitimate interests.
Power to push back on malicious Subject Access Requests (SARs)
SARs can be extremely onerous and time consuming to deal with. Currently, a SAR can only be rejected if it is ‘manifestly unfounded,’ but this threshold is being reduced to ‘vexatious’. Further, the time limit to respond to requests is being relaxed so it will be easier to ‘stop the clock’ temporarily while awaiting further detail from the data subject.
What to do now:
Review the types of requests you are likely to receive and who is best placed to respond to them. Update your policies and processes and make sure everyone is aware of the new limits on data subjects’ rights.
Automated decision making and the rise of AI
Automated decision making (ADM) is the process of making a decision by automated means without any human involvement (source: ICO). Often used for decision making processes in financial services, insurance, and education (for example, course applications), they help organisations process large volumes of data quickly and consistently.
The DPDI provides that the restrictions on ADM will now only apply if the type of data being processed is special category personal data, for example, health related data. However, data controllers will have to ensure data subjects are clearly informed of their rights in relation to ADM and that expanded safeguards are put in place.
What to do now:
If your business uses automated processes to make decisions about data subjects, now is the time to revisit your processes and consider if they need to be adjusted to reflect the DPDI.
Data Protection Officers get a new name and a switch in focus
The role of the DPO (Data Protection Officer) has been revised and renamed as the ‘Senior Responsible Individual (SRI). The SRI will have different responsibilities depending on whether they are appointed by a data controller or data processor. If you are a public body or organisation which carries out high risk processing, your SRI must be appointed from senior management.
What to do now:
Consider if your DPO can still act as your SRI. Get ahead of the change by identifying who is best placed to take on the task and ensure training is provided.
Record keeping responsibility reduced for small companies
For small companies with fewer than 250 employees (who do not conduct high risk processing) there is good news: companies will no longer need to maintain records of processing activities.
UK government gets granular on location for international data transfers
Going forward, the Secretary of State will have the option to adopt a risk-based approach to evaluating the adequacy of data protection standards in other countries and may make an adequacy finding in respect of specific sectors or states or provinces within a country.
What to do now:
This a definitely an area to watch as, if implemented, it could remove the need for data transfer risk assessments to be undertaken before data can be transferred.
Cookie consent gets an overhaul – good news for marketers
This is a key part of the government’s aim of reducing red tape. It relaxes the rules around when first party cookies can be dropped without consent. This will be particularly welcome to businesses which have struggled to comply with the current rules when collecting marketing data to help them operate their business.
What to do now:
Consider your first party cookies and whether some of them can now be dropped without the need for consent.
Nuisance marketers be warned
The DPDI empowers the ICO to investigate and take action against organisations who undertake unsolicited direct marketing in breach of the Privacy and Electronic Communications Regulations (PECR) – irrespective of whether the call, email or text is actually received. This measure is aimed at unscrupulous marketeers who send out large volumes of unsolicited calls, text messages and phishing emails.
What to do now:
This will certainly be an area of increased focus and enforcement so, if you undertake direct marketing, now is the time to make sure you are acting in compliance with PECR.
Soft opt-in rule change creates opportunity for charities and non-profits
A proposed extension of the soft opt-in exemption to non-commercial organisations (charities and non-profits) could enable these organisations to carry out direct marketing on an opt-out basis (without consent) if contact details were obtained in the course of an individual expressing interest in, or offering support in, the charities’ objectives. Commercial organisations already benefit from this exemption – but in all cases individuals must be easily able to opt out.
What to do now:
If you are a charity or non-profit organisation, you should consider if you will be able to take advantage of this relaxation in the soft opt in rules.
Governance is the key to compliance
Whilst the list of changes may seem daunting, the new data protection framework gives businesses the ability to relax some of their processes and the flexibility to consider how best to comply in other areas. There are opportunities for those businesses which act proactively and make the most of this increased flexibility.
Author: Amanda Mallender, Client Legal Director at The Legal Director
1 Comment
Pingback: How should you prepare for the new GDPR legislation? | Dealer Support