The government have said they would like the Information Commissioner’s office to be reformed to drive economic growth and innovation and strengthen public trust in the use of data.
Alongside the announcement, the UK government have produced a document called “Data: a new direction“, which outlines the major changes to GDPR they would like to make.
Key changes the government are willing to make
- Removing the requirements for organisations to have a designated Data Protection Officer. The new proposed requirement to designate a suitable individual, or individuals, to be responsible for the privacy management programme and for overseeing the organisation’s data protection compliance.
- Changes to the threshold of reporting a data breach to the Information commissioners’ officer (ICO).
- Removing the requirement for prior consent for all types of web cookies. The government have considered two options. (1) May grant the organisation to use analytics cookies and similar technologies without the user’s consent. (2) Permit organisations to store information on or collect information from, a user’s device without their consent for other limited purposes.
- Creating a new separate lawful ground for the lawful use of personal data in research – this is in response to the COVID-19 pandemic.
FEATURED GDPR READ: NHS digital “data-grab” on hold
FEATURED GDPR READ: Getting rid of cookie pop-ups
- Drawing up a limited exhaustive list of legitimate interests where organisations can use personal data without applying the public interest balancing test.
- The potential removal of Article 22 – which is the right to not be subject to a decision based solely on automated processing, including profiling. Which produces legal effects concerning him or her or similarly significantly affects him or her. – potentially remove the right to object.
- Introduction of fees for subject access requests.
- The potential removal of the need for Data Protection Impact Assessments – The government proposes to remove the requirement for organisations to undertake a data protection impact assessment, so that organisations may adopt different approaches to identify and minimise data protection risks that better reflect their specific circumstances.
- The potential removal of Article 30 – Record of Processing activities – The new requirements under a privacy management programme would still require certain records to be kept. Organisations will have more flexibility about how to do this in a way that reflects the volume and sensitivity of the personal information they handle.
Why the changes?
The government have recognised that the current law places disproportionate burdens on many organisations, stating that smaller organisations should not have the same Data Protection processes as larger organisations. The government are aiming to create a structure that allows smaller organisations to present their compliance in a different way.
The government have put together a public consultation on the reforms to the UK’s Data Protection Regime. The consultation closes on 19th November 2021 at 11:45 pm.
FEATURED READ: Smartphone ordering to the table
FEATURED READ: Transferring data outside of the UK
All Response Media viewpoint
The government’s recommendations could cause some dysfunction within organisations. Businesses are only now getting to grips with the GDPR, and all the potential changes may set organisations’ GDPR structures further back.
The idea of removing Article 30 can cause more harm than good as organisations will fail to identify what personal data they hold and the retention periods.
Another government reform that may cause an issue is charging for subject access requests – This could do good for organisations as it may prevent nuisance requests. However, it may also deter people who have a legitimate reason to make the request from stepping forward. It is important for the government to maintain that citizens have the right to access and protect their data.