20/03/2023 - On the 8th of March the British government published a press release stating that British businesses will save billions under the new Data Protection and Digital Information Bill (“the bill”) proposed to reform the UK GDPR.
The changes in the bill are intended to unleash more scientific research, increase public and business confidence in AI technologies, support international data sharing, and reduce unnecessary paperwork. This raises the question: did the UK establish a new and improved version of the GDPR?
In this blog, I will focus on changes intended to reduce unnecessary paperwork. I will discuss two main changes mentioned in the bill, their implications on the principles contained in the GDPR and what it means for the future of the UK adequacy decision.
The following two changes are likely to have the biggest effect on reducing unnecessary paperwork:
1. Legitimate interest
A list with predetermined accepted legitimate interests is added to the UK GDPR. This means organizations no longer have to balance their own interests against the interests of the data subject if they want to rely on a specific legitimate interest included in this list. At the moment, the list is focused on public interest, but changes may be made by the British government at a later date. Examples of accepted legitimate interests are detecting, investigating or preventing crime, and responding to emergencies.
2. Record of processing activities
The requirement to keep a record of processing activities will be limited to organizations that process personal data that likely result in high risk. Thus, all organizations that do not conduct any form of high-risk processing of personal data are going to be fully exempted from the obligation to create a record of processing activities.
Although the headlines published by the British government indicate that these changes will reduce unnecessary paperwork, there is a downside.
Both the requirement to conduct a Legitimate Interest Assessment (LIA) and the requirement to create a record of processing activities (ROPA) derive from the main principles of the GDPR. The ROPA – in addition to being a specific obligation under the GDPR - is also widely seen as the foundation of GDPR compliance in general.
It is common practice to include more information in a ROPA than legally required by article 30 of the GDPR. Not only does this help organizations comply with other requirements of the GDPR, but it also enables organizations to demonstrate such compliance. The importance of the ROPA raises questions on the approach of the UK. Is it even possible for the organizations to comply with the (UK)GDPR without a ROPA? And how will organizations demonstrate compliance with, for example, the principle of purpose limitation if they do not have a clear overview of their processing activities?
The list of accepted legitimate interests also raises questions. The listed interests - such as preventing crime - are good examples of processing purposes for which the legitimate interest can be used. However, processing personal data for purposes described in the bill can take many forms. Balancing the interests of the organization against the interests of the data subjects as part of the three-step test that organizations have to perform if they want to rely on legitimate interest as a legal basis under the GDPR, allows organizations not only to demonstrate compliance but also to think about ways to incorporate the main principles of the GDPR into their processing activities, such as data minimisation. The list could lead to organizations blindly relying on the pre-determined interests without feeling the need to perform a balancing test in order to demonstrate compliance with other requirements under the (UK)GDPR.
In conclusion, the proposed changes to the UK GDPR test data protection standards at its foundation and represents the UK GDPR drifting further away from the position of its ancestor in Europe.
Since Brexit, the UK government has viewed the GDPR more and more as a legal burden inherited by the EU. The changes made to the UK GDPR have already sparked debate on the direction of the future UK data protection legal landscape. Although the UK will likely want to keep their adequacy decisions to guarantee unrestricted personal data transfers, it is yet to be seen how far the UK can drift from the GDPR without the European Commission or court invalidating the adequacy decision, forcing organizations to rely on other transfer mechanisms, such as the EU Standard Contractual Clauses.
Would you like to know how these developments affect your organization? Contact us!