4 changes on the horizon for Data Protection

by | Oct 13, 2022 | Blog, Data Protection | 0 comments

Data Protection

The Data Protection and Digital Information Bill 2022-2023, was introduced to Parliament on 18 July 2022. Currently, as part of the law-making process, it is taking its passage through the House of Commons before it continues its journey through to the House of Lords and then the Final Stages.

Much of the content is an attempt to reduce the compliance burden for organisations whilst not losing the true and very much valid spirit of data protection law i.e. to protect individuals from misuse of their personal data.

At 192 pages long, once enacted, the Bill will impact all aspects of compliance, depending of course on the precise nature of an organisation’s processing.

 

4 changes proposed by the Bill:

 

  1. No need for a Data Protection Officer (“DPO”) (BUT must appoint a senior responsible individual within the organisation). Currently, organisations whether data controllers or data processors are required to appoint a DPO in certain circumstances (e.g. if processing is likely to result in a high risk to the freedoms and rights of individuals).  Whilst this requirement is proposed to be removed by the Bill, there is a replacement provision which will require data controllers or processors in similar circumstances  to appoint  a senior responsible individual, who is a part of the organisations’ senior management to carry out a number of tasks that were previously  within the remit of the DPO.  That senior responsible individual’s contact details must also be publicly available and provided to the Information Commissioner’s Office (the “ICO”).  Whilst it will still be possible to outsource /delegate some of these functions, this change has been made to put data protection on the agenda at a senior level culturally.  (We’ll be providing a separate information sheet on this in due course. If you would like to sign up to receive this, then get in touch).

 

  1. No need to complete a Data Protection Impact Assessment (“DPIA”) (BUT still need documentary evidence of assessment of processing risks). Data controllers are currently required to produce a specifically titled DPIA where processing is likely to result in a high risk to the freedoms and rights of individuals and the ICO has specified some specific scenarios which fall within this category (e.g. processing on a large scale).  It is a very specific document with very specific content requirements.  For many who find this a labour-intensive complex task, there may be a sigh of relief.  But, it may be short-lived as again, this is not a blanket removal of a requirement.  Data controllers will still be required to provide documentary evidence of the risks of processing and there is still certain content that the document must contain. However, this detail will be able to be recorded in a format in line with an organisation’s risk management stack, rather than re-inventing the wheel of a whole new document, which often overlaps anyway.

 

  1. Recognition of vexatious Subject Access Requests (“SARs”) Whilst of course, access by individuals to their personal data is a cornerstone of the ethos of GDPR, there is no doubt that this right is used as a “sword” by aggrieved customers/ ex employees, rather than the intended “shield” to protect or uphold their rights in relation to their personal data. Current law gives a chink of light to these types of SARs in that it allows data controllers some options where the request is “manifestly unfounded or “excessive”.    However the Bill intends to replace “manifestly unfounded” with “vexatious”.  The burden of proof to show that a SAR may be vexatious or excessive is still on the data controller, and the Bill also proposes some nonexclusive examples of what vexatious might mean, including, intending to cause distress or not being made in good faith. This is arguably a step closer to being able to directly introduce very real context to these VERY time-consuming SARs. (We’ll be providing a more detailed review of this and other changes made regarding SARs in due course. If you would like to sign up now for this let us know).

 

  1. Marketing fines – The Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECRs”), is the legislation that governs direct marketing. In sharp contrast to the maximum multi million pound fines for GDPR breaches, the maximum penalty under the PECRs is only £500,000. The effect of the Bill will be to bring this low maximum in line with the GDPRs so that the GDPR limits will also apply to PECR offences.

 

If you would like to discuss this in more detail or have any questions, please contact Tracey@law-point.co.uk or call 01202 729444.