The Government announced the introduction of the Data (Use and Access) Bill (DUA Bill) in the House of Lords on 23rd October 2024 – the first draft of Labour’s proposed changes to data protection law following the failure by the former Conservative Government to embed their Data Protection and Digital Information Bill (DPDI Bill) in law.
Here we have prepared a summary of these likely changes and what they will mean for businesses (data controllers) moving forward.
The UK GDPR
- Under the Data (Use and Access) Bill, The Accountability principle remains. This means:
- Businesses are still required to have a Data Protection Officer (DPO) – someone with expert knowledge of the relevant laws, best practice, and GDPR-related risk.
- Businesses will still need to conduct Data Protection Impact Assessments (DPIA’s) – when considering new processing activities.. and demonstrate they have identified and reduced any potential risks associated with processing before it commences.
- Businesses will still need to maintain a Record of their Processing Activities (ROPA) – a document of your processing activities, lawful basis, retention schedules and security measures.
- There is a proposal to add a new, seventh lawful basis of processing – “processing is necessary for the purposes of a recognised legitimate interest” – examples of which include:
- where a controller (organisation) receives a request to disclose data to a public body which needs it to carry out a public task; or
- where the processing is necessary for safeguarding a vulnerable individual.
- processing that is necessary for the purposes of direct marketing;
- intra-group transmission of personal data (whether relating to clients, employees or other individuals) where that is necessary for internal administrative purposes; and
- processing that is necessary for the purposes of ensuring the security of network and information systems.
- There are proposed amendments to the way Data Subject Access Requests (DSARs) are administered – data subjects must identify which information or activities their request relates to, especially where controllers process a substantial amount of data on the individual, such as a long-term employee or a client/customer.
- When these DSARs are received, the search for data should be “reasonable and proportionate” – to interpret this, it is unlikely the organisation will need to search the depths of the archives looking for the needle in the haystack if they have already made a reasonable search of their current active folders and systems.
- There are suggestions that there is no need to provide a Privacy Notice, or link to it if it involves a disproportionate effort. For example, if an organisation is collecting data in the field or in a remote location, then simply a reference to the Privacy Notice will suffice.
- A complaints procedure for data subjects must be in place and controllers will need to share with the ICO the number of data protection complaints it had received if the request is made. A complaints register should be created to comply with this.
- Automated decision-making.
- There will be fewer restrictions on this, however they will apply where special category data is being processed.
PECR (Marketing legislation)
This is the Privacy & Electronic Communication Regulation, 2003.
- When a company sends spam, the message will count as sent even if the recipient doesn’t exist and it bounces back. Previously, only messages that had been successfully delivered were considered as part of an investigation.
- First-party cookies (and similar technologies) for analytics purposes can be used, without the need to gain users’ consent. The logic behind this is these purposes are considered to be a “low risk” to people’s privacy, but can be invaluable to organisations when learning about website traffic.
- PECR fines (currently capped at £500k), are increased to align with the UK GDPR – £17.5m for the most serious infringements.
What does this all mean?
The new Government have revived the old Data Protection and Digital Information (DPDI) Bill that failed to come to fruition with the previous Conservative Government, but have removed some of the more controversial elements, such as the abolition of DPIA’s and DPO’s (in favour of a Senior Responsible Individual, SRI).
The EU will need to consider the new Data (Use and Access) Bill (DUA Bill) and how it aligns with our adequacy agreement following Brexit, as this deal is due to expire in 2025. If the EU decide the UK has diverged too far from the original EU model, they could revoke adequacy or refuse to renew it which will cause a significant and very costly headache for businesses.
It must also be noted that if the business has operations or partners in the EU, they will still need to comply with the EU GDPR – so the question must be asked – should businesses:
- dilute their compliance effort and adopt the UK version only.
- have two separate compliance journeys – one for the UK; the other for the EU (this could also double the cost of implementation, the number of policies and training efforts).
- or continue the same path since EU GDPR became law in May 2018 and maintain the accepted global standard.
Any changes are likely to be heavily debated in the coming months.
