On 10 September DCMS (the Department for Digital, Culture, Media and Sport) published a consultation document entitled Data: new direction. Click here to read our article focusing on the implications for public sector organisations. The other key proposals include:
- Removing the requirement to designate a Data Protection Officer (DPO);
- Removing the record-keeping requirements under Article 30 of the GDPR/UK GDPR;
- Removing the requirement to undertake data protection impact assessments (DPIAs);
- Reintroducing a small nominal fee for making a data subject access request (DSAR);
- Reforming the ICO's role, including introducing a new power for the Secretary of State for DCMS to periodically prepare a statement of strategic priorities to which the ICO must have regard when discharging its functions;
- Increasing the ICO's enforcement powers;
- Introducing a new duty for the ICO to cooperate and consult with other regulators, particularly those in the DRCF (Digital Regulation Cooperation Forum: CMA, Ofcom and FCA);
- Relaxing the rules on further processing of personal data for a purpose other than which it was collected and permitting further processing by a different controller; and
- Relaxing the requirement for consent to cookies.
Stewart Room, DWF's Global Head of Data Protection, Privacy and Cyber Security shared his initial thoughts on the proposal on LinkedIn:
- Being different to GDPR isn’t by definition a bad thing. Yes it has many good features, but in some ways it's a camel, in parts a punt rather than evidence-based.
- However, it’s nonsense to say that the proposals constitute a complete rejection of the entire philosophical and jurisprudential system of European law. There’s much good in there – and UK co-owns the history - so we will see lots of the GDPR in the UK for the long term.
- Some of the proposed accountability changes may seem dramatic but are more akin to old wine in new bottles rather than truly radical. Losing express legal requirements of GDPR returns us to the implicit legal requirements of 95/46, through the Privacy Management Framework, requiring fundamentally the same operational outcomes albeit using different words. Will we get rid of DPOs and DPIAs? Yes, sure, but, actually not really.
- On the other hand, it’s certainly not a win-win for all. People on low or no incomes could lose a lot if the DSAR fee regime truly replicates FOIA. Only the rich, or ignorant, will not see this.
- A statutory duty for ICO to have regard to gov policy/strategy has the potential to be truly disruptive to civil liberties, but that’s not inevitable: Parliament, the draughtsperson and public law have the ability to curtail Big Brother through words. One to stay alert to.
- ICO is not an economic regulator. The comparison with the other regulators is iffy for this reason. Argument flowing from that, the same.
- Note the proposed increases in enforcement powers. Section 166 notices for personal data breaches? Compulsory witness attendance? Controllers aren’t getting a free pass here. This is GDPR plus plus.
- If you’re cynical, you might see the new ICO structures as a gov-patsy’s charter. Look at it differently and you might see potential for vast improvement. Either way, the current system’s not perfect: there is certainly room for improvement.
- Reuse of information and repurposing for growth inevitably means function-creep potential. Something to keep privacy activists, pros and lawyers awake, but HMG probably assesses that it has enough power in its data-based-Pandemic-successes narrative to win the popular vote. Throw in cookie-pop-up-annoyance narrative for good measure: home run?
- Yes, there might be enough in the proposals to wind-up adequacy doubt. But this is Brexit, so the risk’s been priced-in.
Obviously, there’s much more to it than set out here, but it’s impossible to say at this stage that it will be better or worse than GDPR. It can go either way.
My suggestion: don’t declare an early winner or loser; keep an open mind for the possibilities; support the good bits; call out the bad bits; avoid fear sells and scaremongering (outside the privacy echo chamber, people don’t want that); respond to the consultation to have your say.
The consultation is open until 19 November. We will monitor developments closely and report on the outcome of the consultation and the implications for public sector organisations. In the meantime, if you would like any advice on the possible impact of the proposed reforms, please contact one of our data protection specialists.