The UK Data Reform Bill – nine things you should know

by Kevin Tunison
Published on 29th Aug 2022

Much has been discussed regarding the recent proposed UK data legislation. I’ve run through nine key takeaways for organizations that aim to dispel some of the FUD (fear, uncertainty, and doubt) regarding the reforms.

1.      Multiple Bills are amended by the Data Reform Bill

There are several laws that are amended by the proposed legislation. This includes UK GDPR, the UK Data Protection Act, and PECR (ePrivacy).  There are additional laws now referenced including the Care Act 2014, Science and Technology Act 1965, Income Tax Act 2003, and the National Health Service Act 1978 (Scotland) amongst others.

Much of the reason for the additional references are because of the expanded consideration for using personal data in research. The main result is that there is a prescribed list of lawfulness of processing for ‘similar’ purposes that includes themes relating to national security, democratic engagements such as elections, emergencies, crime, and safeguarding.

2.      There will continue to be a records of processing

Rather than it being called a ROPA (Records of Processing Activities), it will now be a Records of Processing Personal Data. It will still be required to document your data flows. There are some additional prescriptive items to document, such as how the data is secured and the risks involved in processing.

Organizations with fewer than 250 employees will continue to be exempt if the data is not in a special category. In short, very little changes in the need to maintain accurate records.

3.      Pseudonymization does not really change

The definition specifies that it relates to a living individual. This change of term from ‘natural person’ is used throughout the bill.

4.      Consent is more implicit

There are now a number of what some will consider exclusions to explicit consent that is traditionally sought within EU GDPR. This may become confusing because the scenarios laid out are situational. For example, if the data is used to generate statistical reports with no personal data, this would not require consent in the proposed legislation. Additional exclusions exist for scientific research (and no other purpose) or in the interests of public health.

5.      Additional processing of personal data is expanded

Organizations would be able to carry out additional processing of personal data by making use of the prescribed list (Annex 2) of purposes laid out in the bill. There is the potential for this list to be expanded upon by using what is called the ‘affirmative resolution procedure’. What this means is that if there are no parliamentary objections within 40 days, the proposed amendments are accepted as though they were voted upon.

Even if the additional processing would not be in the prescribed list, there is still the potential for it to occur. A new Article 8A is introduced that gives a fairly subjective list of guidance that effectively says if the processing is ‘compatible with the original purpose’ then it is probably lawful. It would not be a surprise to see this aspect of the legislation go through a legal challenge because of the amount of uncertainty it introduces.

To put it into a practical example, for argument’s sake if a comparison website were to offer a list of insurance providers for automobiles, advertising offerings for other types of insurance (life, product, travel, etcetera) would be considered compatible with the original purpose.

Preventing Email Data Loss Gated Widget Cropped

Preventing email data loss in Microsoft 365

Get your copy

6.      Data Subject Rights can be refused if requests are being made for malicious reasons

There is additional description to help organizations identify whether a request is considered vexatious or excessive. For example multiple kinds of request that often result in parallel to a complaint and intended to cause a business to use resources rather than an actual purpose could potentially be refused.

The other potential change of note is that there can be a start/stop to the one-month period if an organization requests additional information needed to complete the request.

7.      Automated decision focuses on the legal impact

Up to present, the consideration of automated decision making in GDPR has a wide scope of applicability. The proposed changes narrow the focus on automated processing that produces ‘a legal effect’. This contrasts with GDPR at present which includes the analysis and profiling of cookie and tracking technologies where many interpret that kind of profiling as not having a legal effect (but a potential invasion of privacy nonetheless).

A practical example of the automated decision in practice is that loan applications would still be something an individual can request an individual to review. Whereas a chatbot interaction on a support website may not.

Similar to the prescribed list of additional processing, this section of the proposed legislation has the scope to be expanded subject to the ‘affirmative resolution procedure’.

8.      Technical and organizational measures, AND MORE

A subtle change, there is an expanded interpretation of measures to be more than technical and organizational. So what does this mean?  Historically the interpretation was specific to IT security and Organizational policy (i.e. a security policy, an acceptable use policy, etcetera). ‘Appropriate measures’ implies that third-party assessments to common IT frameworks like ISO 27001 can now be referenced as an appropriate measure.

9.      The DPO is still required in everything but name with additional responsibility.

This has perhaps garnered the most attention across privacy professionals during the consultation. The proposed changes are actually very little. The name is now ‘Senior Responsible Individual’ and contrary to case law in Belgium, they must form part of the senior management. Perhaps in contrary to this are the list of exclusions to prevent a conflict of interest. How organizations address this will likely vary greatly.

Unlike GDPR, the individual will now be responsible for organizing training rather than monitoring the progress of training delivered by the organization.

Final thoughts

While there are many aspects of UK GDPR not covered in this article such as International Transfers, it is clear there is quite a lot more potential to use personal data in more efficient ways that can unlock economic growth.  Just as with any tool, it can be used for good and bad. It will no doubt place an additional burden to enforce against bad practices. The investigations to do so are no doubt time and resource intensive.

While we only covered UK GDPR, there are also substantial changes in the Data Protection Act 2018 that enable the ICO to do exactly this. One of which is the expanded power of the ICO to compel anyone to attend interviews and answer all questions in any matter deemed relevant. This includes time worked with past employers or contracts.