The Data Protection and Digital Information Bill

Camilla Winlo at Gemserv considers whether a new data protection act will maintain trust in UK data privacy

 

At the Conservative Party conference, Secretary of State for the Department of Culture, Media and Sport (DCMS), Michelle Donelan, announced what sounded like a return to the drawing board for data protection in the UK.

 

The UK was very influential in the development of the General Data Protection Regulation (GDPR) – the EU’s data protection legislation. It was enacted in the UK before leaving the EU. But data protection is now seen as an area with potential for ‘Brexit dividends’.

 

Politics has been moving extremely fast in the UK. So much so that the ‘Data: a new direction’ consultation was issued by Oliver Dowden, and the subsequent Data Protection and Digital Information Bill (DPDI) was put before parliament by Nadine Dorries before being withdrawn for review by Donelan – all in the space of a year. It was a huge relief when Donelan was reappointed to DCMS by Rishi Sunak, bringing much-needed stability to this crucial department.

 

GDPR is now four years old, and we have learned a lot in that time. It has become the global gold standard for data protection and most international data protection laws are very similar to it. Certain features are essential requirements for any country – such as the UK – that wants to be considered ‘adequate’ by the EU. The US has, for example, announced the formation of a new Data Protection Review Court to ensure judicial oversight as part of its new agreement with the EU.

 

The Data Protection and Digital Information (DPDI) Bill, as currently drafted, keeps the fundamentals the same as GDPR, but gives organisations more freedom in deciding how to implement them. This is being sold as a simplification but – certainly to begin with – is likely to be anything but.

 

There is no question that some of the requirements of GDPR are an uncomfortable fit for certain organisations and processing activities. But designing a more suitable approach that still meets the legal objectives is a significant undertaking.

 

It is also riskier in some ways. In the event of an incident, any subsequent regulatory investigation may have a starting presumption that there must have been flaws in the governance approach or the incident would not have happened, and that these flaws are the fault of the organisation.

 

Donelan’s speech to the Conservative party conference provided two main hints about her thinking.

 

First, she described the difficulties that very small organisations and small local voluntary groups can have in confidently processing personal data – and doing it lawfully. These organisations currently carry out data processing in a way that is very similar to individuals. To combat this, it looks like Donelan is considering offering them a variation on the existing domestic use exemption. That would be a genuine simplification for those organisations and would be unlikely to change people’s data privacy risk.

 

Second, she suggested that she would rewrite data protection law alongside businesses. This might simply be a reference to the ‘Data: a new direction’ consultation that has already been carried out. It might indicate returning to some of the consultation ideas that did not make it into DPDI, or rejecting some of the ideas that did. Equally, it might be just a matter of messaging and an attempt to distinguish between what Donelan is seen to deliver and what has been delivered by previous incumbents.

 

Alternatively, it might suggest that she actually does plan a return to the drawing board and a new consultation – though this seems less likely. After the turmoil of two leadership changes in under two months, there is political pressure on Sunak to call the next general election, and with current polling suggesting that the Conservatives may not form the next government, there may be limited time to get bills approved before another change in circumstance.

 

Therefore, if Sunak and Donelan want data protection reform to be part of their legacy, they need to get the legislation passed in this parliament. It does not give them long for wholesale change. Nevertheless, it could happen.

 

Many data protection experts are concerned that the volume of change, and some of the rhetoric around the data protection reform, may lead organisations to conclude that the UK is relaxing its rules on data protection. I don’t see much evidence of this. However, there is a risk that businesses might believe they can relax their focus on data protection.

 

Individuals are increasingly well informed about data protection issues and evidence suggests that data protection influences their behaviour, including whether to buy or use services. A relaxed focus on data protection is therefore a commercial risk. At the same time, based on the recent flurry of enforcement action we’ve seen, the Information Commissioner’s Office (ICO) appears to be somewhat reinvigorated under new Commissioner John Edwards and so the regulatory risk may come as a surprise.

 

For now, GDPR remains law. Even if the DPDI passes in its current form, continuing to comply with GDPR will also be a valid option. For many organisations, ‘no change’ will be the best response.

 

However, for businesses that might benefit from these new flexible approaches, starting to consider how any new rules might be implemented is a must, because designing for them will take time.

 

---

 

Camilla Winlo is Head of Data Privacy at Gemserv

 

Main image courtesy of iStockPhoto.com