The Government’s proposed data reforms – under the Data Protection & Digital Information (No. 2) Bill – will have huge consequences for the marketing industry, but, as ever, many businesses are in the dark about what the overhaul means for them and their operations.
In the first of a new series of articles exploring the ramifications, Decision Marketing has joined forces with Sagacity to explain what businesses need to consider when processing data alongside UK GDPR and PECR.
How personal data is defined
The UK GDPR definitions of personal data are very extensive. The DPID Bill retains the same basic definition, but further clarifies when data is related to an identified or identifiable individual and when it should be considered anonymous. Information will only be considered as identifiable by a person other than the controller or processor if that other person will, or is likely to, obtain the information as a result of the processing.
Data for subject access requests
Subject access requests (SARs) and the right of access is one of the key components of a data protection framework. The response to the DPID Bill consultation in May showed that organisations large and small found dealing with SARs a time-consuming exercise. The Government is proposing changing the current threshold for refusing or charging a fee for SARs, which means “manifestly unfounded or excessive” changes to “vexatious or excessive” requests. This will bring it into line with the Freedom of Information Act, an area where mixed views exist: organisations in favour of a cost limit argued that this would be beneficial to SMEs and make complying with subject access requests more manageable. The other view is that introducing a cost limit would be detrimental to individuals’ rights and could cause mistrust between the organisation and an individual.
The Government has proposed that it intends to create a limited list of processing activities where the requirements to conduct and evidence a balancing exercise are no longer required. Predominantly this will include areas such as preventing crime, reporting safeguarding, or areas which fall under the “public interest”.
Currently organisations are allowed to use the soft opt-in scenario when using electronic channels to contact a customer, i.e., if the email address had been obtained in the course of a sales or other transaction, there would be a reasonable expectation. The Government has now extended this to non-commercial organisations which, in most cases, includes charities. This must be music to every charity’s ears, but as a cautionary note, they will need to ensure the appropriate accountability and safeguards are in place to protect individual rights, making sure there is a clear audit trail, and that the provenance exists to be able to process an individual’s data in this way, otherwise we could see larger volumes of unwanted communications.
Privacy management programmes
Records of processing activities and data protection balancing assessments are set to be replaced as the Government moves forward with the Bill, and will require organisations to implement a privacy management programme (PMP). Any organisations who already align to the principles of the UK GDPR should not be too concerned with implementing a PMP as they will already have the correct requirements and procedures in place based around their own processing activities.
Under UK GDPR, organisations are required to keep a ROPA (record or processing activity). The only exemption to this is organisations who have less than 250 employees and where the processing of information is of low risk or does not involve special categories of data and or criminal conviction data. The DPID Bill proposes controllers and processors would be exempt from this obligation unless they carry out high risk processing activities, so essentially, organisations would only be required to keep an “appropriate” record.
Increased fines under PECR
It is proposed that PECR be amended to allow the Information Commissioner’s Office to levy fines of up to £17m or 4% of a business’s global turnover, bringing greater harmony between the fines imposed under the UK GDPR and DPA 2018. This is an encouraging step forward and will lead to greater and stronger compliance around the use of electronic marketing and how it is performed.
DPO responsibilities and senior individuals
The requirements around data protection officers and the designated officer will now be removed, but there is a new requirement to appoint a senior level individual or senior responsible individual (SRI) who will take responsibility for data protection and hold responsibility to oversee an organisation’s privacy management and compliance. This will definitely give business greater flexibility, but the question remains around what happens to the current crop of DPOs who are well versed in the UK regulations as their main responsibility.
Under UK GDPR, organisations are required to conduct an data protection impact assessment (DPIA) for high-risk processing activities. Many of the European regulators, including our own ICO, provide a list of examples of when a DPIA must be conducted and when it is appropriate. DPIAs are a great tool to identify and mitigate privacy risks prior to the launch of any processing involving personally identifiable information (PII). Under the Bill, organisations will no longer be required to conduct a DPIA but need to have an alternative risk-based approach to cover the same outcome and be able to evidence those outcomes.
Andy Bridges is data governance officer at Sagacity Solutions