Amendments to UK GDPR Legislation – The Top Five Things You Should Know

Introduced to the UK Parliament in March 2023, The Data Protection and Digital Information (No.2) Bill is currently at the House of Commons Report Stage. And though it may still be subject to change, the suggested amendments will impact businesses, so it is worth getting prepared.

Why is it changing?

The Bill is looking to cut some of the red tape associated with the current legislation whilst making sure that the data protections provided in the UK are still considered adequate to allow the free transfer of data between the EU and the UK.

Five key changes

The Bill is designed to simplify some of the processes around GDPR compliance, so if you have strong data protection measures in place already, you will probably not have anything additional to do. You may even find opportunities to relax procedures and gain some operational efficiencies. Here are five imminent changes to be aware of:

Recognised legitimate interests:

Under UK GDPR, relying on the lawful basis of legitimate interests always requires the carrying out of a balancing test: a data controller must balance an assessment of its purpose and the necessity of processing data against a consideration of the data subject’s rights and interests. The new Bill introduces certain “recognised legitimate interests” for which a controller will no longer need to carry out a balancing test.

The current proposed list of “recognised legitimate interests” may not be of much use to many businesses (being processing necessary for national security, public security and defence; detection, investigation and prevention of crime; responding to an emergency; safeguarding vulnerable individuals and for democratic engagement).

What is likely to be of more use is a recognition in the new Bill that direct marketing, intra-group transfers of data for administrative purposes and ensuring the security of network and information systems are purposes constituting legitimate interests, but you will still need to carry out a balancing test to justify this reliance. In addition, the Secretary of State is given powers to introduce further recognised legitimate interests at a future date.

Reduced Record Keeping requirements:

Article 30 of the current UK GDPR requiring extensive record keeping is removed and replaced by an obligation only requiring records to be kept where the personal data processing is likely to result in a high risk to the rights and freedoms of individuals. This will be a welcome reduction in bureaucracy for many businesses not carrying out high risk processing.

Subject Access Requests (SARs):

Responding to SARs can be onerous for businesses and in what will certainly be welcome changes, the new Bill provides that the time limit to respond is extended where the controller reasonably requires further information from the data subject. The threshold for rejecting a request or charging a fee is also being reduced from “manifestly unfounded or excessive” to “vexatious or excessive”.

AI:

With the phenomenal development of AI, it is no surprise that the new Bill seeks to clarify how automated processes should be undertaken. Though there is no longer a general ban on automated individual decision-making, the Bill specifies the need for data subjects to be adequately informed of their rights and to be able to obtain human intervention to challenge any automated decision-making process. So, it is worth reviewing any automated processes you use that make decisions about data subjects.

Senior Responsible Individual (SRI):

The role of the Data Protection Officer is being amended and renamed as the “Senior Responsible Individual”. If you’re an organisation that undertakes high-risk processing, or you’re a public body, you must appoint a SRI who must be part of senior management. Be aware that the Bill distinguishes between the responsibilities of the SRI in a controller and one in a processor, so make sure you familiarise yourself with the requirements of the role depending on the nature of your processing.

Where to start

Assign someone within your organisation to keep an eye on the progress of this Bill. And if you’re looking to build a compliance programme that allows you to manage your data effectively, you need to first understand what data you hold and process and where it is. Draw up a data map to help you to do this. Understanding your organisation’s data will give you the right foundations to ensure you stay up to date with any legislative changes.