On 18 July 2022, the Data Protection and Digital Information Bill (the Bill) was introduced to Parliament and is progressing through Parliament.
Rhiannon Hastings, data protection paralegal at leading commercial law firm Muckle LLP, answers some questions about how these changes might affect you.
When will the Bill be made law?
This is anticipated to become law in mid-2024.
This means your organisation must address the changes the Bill will make to UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations in readiness and ensure your data protection framework and practices meet these requirements.
Are we still required to have a Data Protection Officer (DPO)?
Currently, DPOs are only mandatory for public authorities or organisations that carry out a high volume of ‘high risk’ processing. DPOs must work with the senior management team in the capacity of an independent advisor, be an expert in data protection and have adequate resources.
The new Bill will effectively substitute the role of a DPO for a Senior Responsible Individual (SRI).
If your organisation is required to appoint a DPO under the current legislation, you must appoint an SRI once the Bill is implemented. However, the SRI must be an actual member of senior management.
Are we still required to continue managing a record of processing activities (ROPA)?
A ROPA is a record of your processing activity. The UK GDPR requires organisations to have a ROPA if it has over 250 employees and/ or it processes special category data. However, the Bill no longer requires organisations to document processing activities in a ROPA and will instead require organisations to implement a ‘privacy management programme’.
To ensure organisations comply with this new change, we recommend that a similar exercise to that required for compilation of a ROPA is undertaken to create the privacy management programme (and that a data map will remain extremely helpful to understand how the personal data is being used, where it is being stored and who else has access to it, etc.
Do we still need to obtain explicit consent for using cookies?
The current legislation requires organisations to obtain consent from data subjects before placing cookies on their device. However, this doesn’t apply to “strictly necessary” cookies.
The Bill will provide organisations with more freedom by allowing them to collect personal data using cookies for non-intrusive purposes without consent being required. An example is measuring visitors to your website via Google Analytics. However, targeting cookies (i.e. cookies used for advertising purposes) will still require consent from data subjects in order to comply with other relevant legislation.
This change will only apply to data subjects based in the UK. Therefore, organisations must observe other countries’ legislation concerning the use of cookies if their website is likely to be accessed by data subjects based outside the UK.
In addition to supporting organisations, the Bill will reduce the number of cookie pop-ups received by individuals, hopefully reducing the associated irritation factor!
How does the Bill change the current approach to managing and responding to subject access requests (SARs)?
A SAR is a request for an individual’s personal data from an organisation. Currently, organisations can either charge a reasonable fee to comply with a SAR or refuse to respond to it entirely if it is “manifestly unfounded or excessive”.
However, the Bill is replacing the wording “manifestly unfounded” with “vexatious” meaning organisations can charge a reasonable fee, or refuse to respond to a SAR, when it considers the SAR as vexatious or excessive.
To help your organisation decide this, the Bill will require the Information Commissioner’s Office (ICO – the UK regulator) to produce a code of practice explaining how the terms “vexatious” or “excessive” should be applied.
Next steps
This article only covers a small number of changes introduced by the Bill. To ensure you’re up to date with the latest data protection legislation, sign up to one of our events via www.muckle-llp.com/events
If you need help with compliance in the run-up to the Bill becoming law or for more information on other data protection matters, please contact Rhiannon using: rhiannon.hastings@muckle-llp.com
