The Government’s new direction for GDPR: what it means for workforce data

United Kingdom

On 23 June 2022, the Department for Culture, Media and Sport published its response to its consultation (which closed in November 2021) regarding proposals to reform the UK’s data protection laws. The Government intends to introduce a Data Reform Bill in parliament next year, which will introduce wide-ranging proposals, including matters relating to AI, accountability requirements, cookies, and even the governance model of the ICO itself.

In this Law-Now we highlight some of the key proposals which will impact an employer’s approach towards the management of workforce data. 

Background

The Government’s stated intention is to establish the UK as the most attractive global data marketplace while creating a framework which empowers citizens through the responsible use of personal data. The emphasis is on strengthening accountability requirements while providing businesses with the opportunity and flexibility to find the most effective and proportionate means of meeting its compliance obligations. The Government considers that ‘almost all’ organisations which comply with the current UK privacy rules will be in a position to comply with its future regime – it views the limited number of new requirements as matters of good practice that many organisations already have in place. It remains to be seen whether this will be the experience of businesses in the event the changes proceed as planned.

A changing of emphasis

Practical issues that will impact employers include:

  • Reform of accountability framework: In recognition of the disproportionate burden weighing on some organisations, the Government will introduce a more flexible accountability framework underpinned by a ‘privacy management programme’ for businesses (‘PMP’). The intention behind this strategy is to move away from a tickbox mentality and enable organisations to take a more flexible and measured approach to compliance, based on the level of processing activities and the volume and sensitivity of personal data they handle. The PMP would be based on a core range of accountability elements such as: leadership and oversight; risk assessment; policy and process; transparency; training and awareness of staff; and monitoring, evaluation and improvement. The introduction of the PMP has some important consequences:

    • The requirement for a data protection officer will be replaced with the requirement to appoint a designated senior individual (‘DSI’) responsible for embedding an organisation-wide culture of data protection. The DSI will be tasked with acting as (or delegating) a representative to the ICO and data subjects; ensuring oversight, audit, support and recruitment to the PMP; and providing tailored staff training on policy matters. 

    • Organisations will still be required to identify, manage and mitigate risks, but they will be granted greater flexibility to do so and the requirement for data protection impact assessments (‘DPIA’) will be removed. Organisations would still be able to use DPIAs if they wish to do so (but tailor them based on their processing activities). Existing DPIAs would also remain valid as a way of achieving the new requirement.

    • Organisations will need to maintain personal data inventories as part of their PMP which describe what data is held, where and why it is held etc. However, requirements will be more tailored to the organisation in question. Accordingly, the Government will remove the current ‘records of processing activities’ requirement set out in Article 30 UK GDPR.

    • The requirement to consult the ICO prior to any high-risk processing activity will be removed. Instead any voluntary consultation with the ICO will be taken into account in the event that the regulator takes enforcement action against an organisation.

  • Legitimate interests and the “balancing test”: Where a data controller is relying on “legitimate interests” as a lawful means for processing personal data, the data controller must always consider whether the interests of the employer or relevant third party are outweighed by the rights of the relevant data subjects. This is known as the “balancing test”. The government intends to introduce a limited list of circumstances for which organisations could rely on “legitimate interests” without applying the “balancing test” and without unnecessary or inappropriate recourse to consent. This limited list is likely to include processing activities which are carried out to prevent crime or report safeguarding concerns, or which are necessary for other important reasons of public interest. 

  • When data will be treated as “anonymous”: Anonymous data does not fall within the scope of data protection legislation in the UK. Accordingly, the Government intends to clarify in legislation when a living individual is identifiable and therefore within scope of the data privacy rules, focussing on the means available to the data controller at a particular time (e.g. taking into account technology and where the sharing of data is likely to result in re-identification of an individual).

  • Data Subject Access Requests: The Government has decided against introducing a cost ceiling for DSARs and also the idea of introducing a small nominal fee as a requirement for processing any DSAR.  Instead, the Government plans to change the threshold for refusing (or charging a reasonable fee for) a DSAR from “manifestly unfounded or excessive” to “vexatious or excessive” in line with the Freedom of Information regime.

  • Processing of special category data: The Government is currently giving thought to the proposal of adding to, or amending the specific conditions which provide a gateway to the lawful processing of an individual’s “special category data” (such as health, race, trade union membership etc.). The Government has hinted at the possibility of organisations in future being able to process broader categories of special category data than before in support of DEI initiatives.

  • Reform of the complaints network: The ICO is to be given greater discretion as to when and how to investigate complaints from data subjects. This will include the discretion not to investigate vexatious complaints, and other complaints where the data subject has not first attempted to resolve the issue with the relevant data controller. In turn, data controllers will be required to consider and respond to complaints submitted to them. Appropriate safeguards will be introduced, for example to enable an individual to escalate a complaint if no adequate response is received in a timely manner, or if the data controller has not provided the individual with contact details to raise a complaint.    

Next Steps

Despite the Government’s efforts to provide reassurance to UK business, it is likely that employers will need to implement some changes to policy. Employers will be disappointed at the lack of a costs cap for responding to DSARs, and will hope for clearer guidance from the ICO as to when it is permissible to refuse to respond to a DSAR or charge a reasonable fee. Employers will, however, be pleased to see a more proportionate and flexible approach to accountability requirements.

A lingering fear remains as to EU’s response to these latest reforms, and whether the UK’s “adequacy” determination may be put at risk: employers will be anxious to avoid any barriers to the flow of data between the EU and the UK.