Expect change. The General Data Protection Regulation (GDPR) is getting a post-Brexit makeover as new data protection rules are planned.
The Data Protection and Digital Information Bill is set to amend existing legislation – such as UK GDPR. The government says this will reduce the burden on businesses, replacing a ‘one-size-fits-all’ approach with risk-based compliance. As well as updating and simplifying the data protection framework, the aim is to give the flexibility to drive greater innovation.
Headline issues include:
-
- replacement of the requirement to appoint a Data Protection Officer, with a new requirement to appoint a senior responsible individual. Organisations carrying out ‘low risk’ processing activities will not need to make this appointment
- new requirements on record keeping, with controllers or processors employing fewer than 250 people exempt from the duty to keep records unless carrying out high risk processing
- changed procedures around data subject access requests, giving more grounds for a business to refuse or charge for these
- data protection impact assessments to be replaced by an assessment of high risk processing.
A change to the regulatory body, the Information Commissioner’s Office, is planned, with its powers transferred to a new body, the Information Commission.
Whilst a broad outline of proposals is starting to emerge, at this stage, there are two things to bear in mind.
-
- Details may yet change before the Bill becomes law.
- The European dimension. UK businesses operating in both the EEA and the UK will need to make sure they are compliant in each. Further, the free flow of personal data from Europe is currently guaranteed by the EU’s ‘Adequacy’ decision, but the government acknowledges that ‘As the UK diverges from EU GDPR, the risk that the EU revokes its Adequacy decision increases.’ This is a point businesses engaging with the EU will want to keep under review.