GDPR To be scrapped? Here’s how the UK’s new data rules would impact compliance officers

A new bill on data protection and digital information would reduce the compliance burden for UK businesses, according to experts.

The Data Protection and Digital Information Bill, is the UK government’s replacement for GDPR. Designed to reduce compliance burdens for UK businesses, the bill is likely to have the desired effect, according to the government.

However, the bill’s divergence from GDPR could make compliance more difficult for businesses with European customers, the experts warned. Furthermore, it introduces new responsibilities that may require additional technical expertise in addition to the government’s new AI rulebook.

According to the International Association of Privacy Professionals (IAPP), the proposed bill’s underlying principles are consistent with GDPR. “From a compliance perspective, the essential similarities between the two regimes will not cease to exist once the DPDI Bill becomes law,” it found.

According to Dr Katharina Koerner, senior fellow at the IAPP, the detailed changes will reduce the compliance burden on data protection officers and privacy professionals.

However, Koerner points out some areas where the bill, as proposed, would increase compliance requirements. In addition to these, the new provisions require that unlawful direct marketing be reported to the ICO.

Breach costs may also rise. The maximum fine for infringing web cookie or direct marketing rules is currently £500,000, but this could rise to 4% of global revenue.

The proposed bill would replace GDPR’s requirement for organisations to appoint a data protection officer (DPO) with an obligation to instead identify a “senior responsible individual”. Koerner does not believe this will see the elimination of DPOs, however, as many of the measures mandated by the bill would require specialist expertise. “The need for our profession is ever growing,” she says.

The bill also includes legislation to promote the use of digital identity, allowing users to authenticate their identity without paper documents. This is an “impactful development for privacy professionals”, Koerner says. “New technologies such as self-sovereign identity will possibly get adopted and need to be understood and implemented.”

‘Seize the benefits of Brexit’

The announcement criticised the EU’s “highly complex” General Data Protection Regulation and promised a “clampdown on bureaucracy, red tape and pointless paperwork” to “seize the benefits of Brexit.”

Key points of the plan:

  • SMEs will no longer be required to have a data protection officer and fill out “lengthy impact assessments.”

  • Internet users will be given the option to opt-out rather than needing to opt-in for the collection of tracking cookies

  • Increased fines for the perpetrators of nuisance calls and texts

  • Researchers will not need to be as specific about why they’re collecting data: they could rely on a previous consent, rather than getting a new approval for their particular study

  • The government can exert more control over the country’s data watchdog, the Information Commissioner’s Office (ICO)

How should things unfold?

As far as we know, it will address the proposals outlined in the government’s earlier consultation. The document contains many suggestions, some of which are likely to be rejected or updated following the consultation period. Changes are likely to focus on:

  • Flexibility in the accountability process

  • Increasing the threshold for notification of data breaches

  • Fees for subject access requests to be reintroduced

  • Restructuring cookie consent rules

  • Transferring international data using alternative methods.

Artificial intelligence compliance regulations in the UK

Along with a new AI rulebook, also unveiled this week, the DPDI Bill proposes new rules for the way in which organisations use artificial intelligence. For example, “automated decision-making is subject to certain safeguards and the processing of special categories of data for the purpose of mitigating algorithmic bias is legitimate,” explains Koerner.

The AI rulebook, meanwhile, requires that organisations appoint an individual with responsibility for AI use. Will this responsibility fall to data protection and privacy officers? That remains to be seen, says Koerner. “There is a very big overlap between responsible AI and privacy, and as a result, governance models are emerging.”

“The person owning the responsible use of AI may report to the chief privacy officer,” she explains. “But they might both report to a third function, like the general counsel. In SMEs, those two roles can potentially merge in one.”

Best practice for responsible AI is to “integrate it into existing governance structures”, says Lee Howells, head of AI at PA Consulting. This governance should be able to draw on functional expertise from across the organisation, he adds, as “such expertise is likely to be held in multiple resources rather than an individual, especially in larger organisations”.

The rulebook requires that the use of AI is explainable. As a result, says Howells, “the entity responsible for understanding why an AI application has advised a given decision needs to be proficient at asking ‘why’; stopping only when the data scientists responsible for developing the AI application can explain incontrovertibly why it is determining the answer it is.”

Whether or not they are given ultimately responsibility for AI, privacy and data protection officers nevertheless need to understand the technology, says Koerner.

“AI is a fast-growing field. Privacy professionals need to constantly learn and educate themselves in this ever-changing AI environment. Besides technological aspects that must be understood, there are many open legal questions.

“With new regulations coming up, the complexity of AI requirements is increasing, as is the importance of cross-interdisciplinary collaboration, teams, and boards.”

Google, Microsoft and Mastercard offer advice

The government’s International Data Transfer Expert Council, made up of global experts on data, will play a major role in implementing the new laws if they are passed.

The group, which combines academics, organisations such as the World Economic Forum and the Future of Privacy Forum alongside digital industry figures including Google, Mastercard and Microsoft, will be empowered to remove barriers to data flows and ensure services from smart devices to online banking can be provided more reliably, cheaply and securely.

John Edwards, UK Information Commissioner, said: “Data protection law needs to give people confidence to share their information to use the products and services that power our economy and society. The proposed changes will ensure my office can continue to operate as a trusted, fair and impartial regulator, and enable us to be more flexible and target our action in response to the greatest harms.”

Timescales

After a Bill is published, it can take up to two months to receive royal approval. We won’t know for sure what the changes to the law will be until the autumn of 2022.

Previous
Previous

Dan Chatterton joins Zyla Accountants

Next
Next

Should you register as a sole trader or a limited company?