11 May, 2023
On 10 May 2023, the Government released supporting documents, outlining how the Data Protection and Digital Information Bill (No.2) (the Bill) proposes to amend the Data Protection Act 2018 (DPA), UK General Data Protection Regulation (UK GDPR) and Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). The Bill, which was reintroduced into Parliament on 8 March 2023, is currently in its first reading. If approved and enacted, the Bill will introduce some key changes to the UK's current data protection regime, in a partial departure from the previous regime.
The Government's most recent update has prompted us to consider the effects of these changes across sectors, but predominantly the education and wider public sector.
As currently drafted, the Bill arguably produces a more relaxed data protection regime, than what has previously been required under the EU General Data Protection Regulation. In effect, this should offer organisations a greater degree of certainty and flexibility in dealing with their data protection compliance.
The key departures proposed offer organisations the opportunity to consider their current level of compliance with the existing data protection legislation and begin to plan for what their compliance arrangements may need to look like moving forwards.
The Bill intends to clarify the UK GDPR and DPA, by confirming that organisations, as controllers of personal data, can delay dealing with a Subject Access Request until they have confirmed the identity of the individual making the request. Whilst this isn't necessarily a departure from current known practices, it does give individual's clear indication of an organisations right to delay their responses for this purpose.
Similarly, the Bill introduces further guidance surrounding the factors organisations should consider when deciding if a request is 'vexatious' or not, alongside examples of the same, which are:
Arguably, many organisations will consider these welcome additions to the existing UK GDPR and DPA, as they will most likely generate greater confidence in decision making and provide greater support, in the event of complaints from individuals about the circumstances in which their requests may be refused.
Perhaps most significantly, the Bill intends to introduce a departure from the appointment of a 'Data Protection Officer' (DPO) in the existing UK GDPR and DPA, in favour of the appointment of a 'senior responsible individual.' This appointment will apply to both public sector bodies (such as local authorities and schools) and those who are considered to be involved with 'high risk' data processing.
The senior responsible individual should generally be one individual and be a member of an organisation's 'senior management.' For the purposes of the legislation, 'senior management' will be taken to mean "individuals who play significant roles in the making of decisions about how the whole or a substantial part of its activities are to be managed or organised." For schools, this will likely require their senior responsible individual to be a member of their senior leadership team, or above.
Whilst the responsibilities of a 'senior responsible individual' will largely reflect the existing role of any existing DPO, these departures will require all organisations to reflect on the suitability of their current arrangements.
Under the new regime, existing DPIAs are to be replaced by a perhaps more prescriptive, 'Assessment of high-risk processing.' The amendment appears to propose a more simplistic approach to conducting such assessments, covering the following areas:
a summary of the processing;
This should support organisations in producing more consistent and structured assessments of anticipated processing risks and the factors they are required to consider, to satisfy their obligations to give due consideration to, and implement, appropriate safeguards to protect personal data.
Access to a full copy of the Bill's supporting documents, outlining the changes to the UK GDPR, DPA and PECR is available to view here: https://www.gov.uk/government/publications/data-protection-and-digital-information-bill-impact-assessments
Whilst the Bill proposes the introduction of some welcome clarification and guidance, it also poses important questions about how organisations, and in particular public sector organisations such as schools, delegate responsibility for data protection compliance moving forwards. For some, this will be a fairly straightforward task and involve making sure that those with data protection responsibility are of sufficient seniority. For others, this will be anticipation of moving their DPO role 'in-house' moving forwards. This will likely require organisations to invest in a sufficient degree of upskilling in the short to medium terms, to ensure those appointed in such a role have the experience required by the legislation.
At present, the Bill remains in the early stages of Parliamentary approval, though it is vital organisations remain aware of the potential effects of such proposals on their business operation, including anticipation of what training and support may be required to assist in making any necessary changes.
If you would like to discuss your current degree of data protection compliance and/ or your proposed arrangements moving forwards, we are more than happy to provide advice and support, alongside preparation and delivery of bespoke training packages, aimed at educating and supporting your organisation with data protection compliance. If you would like to discuss this with us further, please contact Bethany Paliga, Senior Associate and Accredited Data Protection Practitioner in our Governance, Procurement and Information team, via email at Bethany Paliga or via telephone on 01254 222347.
For more information contact Bethany Paliga in our Governance, Procurement & Information department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.
Learn more about our Governance, Procurement & Information department here