.svg)
Despite a desire from the UK government to reduce compliance for businesses, there has been pushback from respondents over a number of issues.
The UK government has published the summary of responses for proposed changes to UK data protection requirements, which lays out which changes the government is going forward with.
The proposals were created with several principles in mind, such as future-proofing the UK’s data protection regime, removing barriers to businesses and ensuring all current compliant firms remain compliant.
These proposals include:
- Standardising data processing terminology.
- Creating a list of reasons to process data without a legitimate interest assessment.
- Clarifying the limits and scope of Article 22 of the UK GDPR.
- Reforming the Information Commissioner's Office (ICO).
- Removing prior consultation requirement with ICO for high-risk processing.
- Removing the requirement for data protection impact assessments.
- Removing the requirement for a designated data protection officer.
- Making adequacy agreements with other jurisdictions.
- Several requirements removing content needed for using cookies, including changing from an opt-in model of consent for consumers, to an opt-out model, with the exception of websites intended for children.
At the same time, the government also outlined several significant changes and a continuation of existing rules:
- Shelved plans to develop a regulatory space for “responsible development, testing and training of AI”.
- Increasing fines to EU (GDPR) levels.
- A new complaints-handling mechanism which moves the burden of complaints away from the ICO towards the responsibility of the data controller.
Arguing for regulation
Despite the attempt by the government to “reduce the burdens on businesses", the responses show a less than enthusiastic appetite for some of the changes on offer.
One such objection was the removal of Article 22 of the UK GDPR, the right of human review to automated decision, which was opposed by the “vast majority of respondents”, with some arguing removal would “damage the reputation of the United Kingdom as a trustworthy jurisdiction for carrying out automated decision-making”.
The majority of respondents also disagreed with the proposal “to remove the requirement to undertake data protection impact assessments”, saying they were “helpful to identifying and mitigating risk”, with some respondents instead asking for flexibility to tailor it to their organisation.
This is despite the report saying that data protection impact assessments were a “more prescriptive duplication of other risk assessments” that achieved the “same outcome” within the firm.
Similarly, a majority disagreed with the proposal to no longer require a designated and independent data protection officer, as it was feared this could result in the “loss of data protection expertise” in the business, as well as a loss of consumer trust derived from a “lack of independence”.
The government has decided to press on with removing these requirements anyway, as making these requirements no longer mandatory, it claims, “would be beneficial for smaller businesses”, especially those that do not “process highly sensitive personal data”.
The new rules will require firms to have “risk assessment tools” for identifying, assessing and mitigating data protection risks, as well as appointing a “senior individual” in the firm to make sure data protection is being considered at a senior level, rather than having to hire a specialist and independent data protection officer.
However, firms can still use impact assessments and data protection officers if they wish.
The result of these changes is likely to be a small but identifiable compliance advantage for smaller payment firms, who may feel they can complete the requirement more flexibly, while larger firms retain a higher degree of structure, with most organisations saying that they "likely would” retain a data protection officer, for example.
