After the consultation ‘Data: a new direction’ was published in September 2021, the Government responded on 23 June 2022 and set out its intention to reform UK data protection laws and modernise the UK’s global data marketplace whilst maintaining high standards of data protection. As data protection impacts most organisations, we have some key points to note below:
- Legitimate interest assessments (LIAs) caused some confusion and businesses began to rely on the lawful ground of ‘consent’ rather than ‘legitimate interest’ when processing data. As such, the government will implement an exhaustive list of legitimate interests where the LIA’s ‘balancing test’ will be unnecessary.
- Subject access request impact has been considered and the government plans to change the threshold for refusing or charging a reasonable fee from “manifestly unfounded or excessive” to ”vexatious or excessive”.
- A data protection officer will no longer be required and instead a senior responsible individual will oversee the new privacy management programme. Businesses will not be required to undertake data protection impact assessments (DPIAs) and instead will be required to implement risk assessment tools in mitigating data protection risks.
- The government has opted to remove the requirement for cookies banners for UK residents and is ultimately aiming for an opt-out model to improve user experience, but only when appropriate to do so. Until that is reflected in law, the Government will permit cookies on a device without explicit consent for a small number of non-intrusive purposes.
- PECR (i.e. electronic marketing) infringement fines will be adjusted to align with UKGDPR and there will be some extension of what is known as the “soft opt-in” for marketing.
- To boost trade and reduce barriers to data flows, an autonomous framework for international data transfers will be executed to reflect the UK’s approach to data protection. This will clarify where personal data can be transferred across borders.
- Finally, the government will better equip the Information Commissioner’s Office (ICO) to uphold information rights by ensuring strong leadership and governance. This will extend the ICO’s investigatory powers and refocus their attention on higher-risk data processing activities.