UK: A new data direction - Accountability reforms
On 10 September 2021, the UK Government published a consultation, Data: A New Direction1 ('the Consultation'), which proposes changes to the UK’s current data protection framework and in particular, significant, but not radical changes to the accountability framework under Regulation (EU) 2016/679 of the European Parliament and of the Council ('the UK GDPR'). At the heart of the proposed changes is the removal of what are described as the administrative burdens and a 'box-ticking' approach to compliance. However, it is important to note that the core definitions and principles of the UK GDPR remain unchanged under the proposed reforms. Gita Shivarattan, from Ernst & Young LLP, and Laura Stewart discuss the accountability reforms suggested by the UK Government, in particular, how the proposed accountability reforms may impact the financial sector.
On 7 October 2021, the Information Commissioner’s Office ('ICO') published its response to the Consultation, which largely welcomes the proposed reforms, but places emphasis on the Government not losing sight of the importance of maintaining the rights of individuals.
The current accountability framework under the UK GDPR places obligations on organisations which are often described as cumbersome and/or disproportionate, particularly for small and medium-sized enterprises ('SMEs') and organisations that undertake low risk data processing activities. To address this, the Consultation proposes a 'more flexible and risk-based' accountability framework, which is based on individually designed privacy management programmes ('PMP's). The intention is for organisations to design a PMP suitable to an organisation's particular data use (i.e. processing activities) and related risk profile, and is intended to help an organisation establish a robust yet more flexible approach to how it manages its data protection obligations. The model is similar to the approach currently adopted in Singapore, Canada, and Australia, all of which include the operation of PMPs. As noted above, to support the implementation of PMPs, the Consultation proposes to remove some of the (arguably) disproportionately burdensome requirements in the UK GDPR, including the following:
Removal of the requirement to appoint a DPO
The Consultation proposes that the requirement to appoint a data protection officer ('DPO') is removed and instead, organisations are required to designate a suitable individual, or individuals, to be responsible for the PMP and for overseeing the organisation's data protection compliance. The Government suggests this would place different obligations on organisations, potentially driving more effective data protection outcomes. The ICO's response to this proposal places emphasis on the skills and experience that DPOs bring, which is now a well-developed and skilled profession.
Under the UK GDPR, a DPO is only a mandatory requirement in certain circumstances, particularly where organisations are processing high-risk personal data on a large scale. In contrast, the proposed PMP will require that all organisations appoint a responsible person. It is therefore unclear whether the proposal to scrap mandatory DPOs would result in any real change to current privacy governance structures. Further, it remains to be seen whether such persons would continue to have independent statutory obligations, as the mandatory DPO has under the current regime, and in turn the potential sanctions and fines for non-compliance. Currently, failure to appoint a mandatory DPO can result in fines of up to the greater of £8.7 million or 2% or annual global turnover.
On the face of it, this change fails to dial down on compliance obligations, but rather has the opposite effect, by introducing a generic obligation on all organisations (currently without exemption) to have an appointed responsible person to oversee the PMP framework.
Removal of the need for DPIAs
The Consultation proposes to remove the requirement for Data Protection Impact Assessments ('DPIAs'). This is to enable organisations to identify and minimise data protection risks in a way that better reflects their specific circumstances.
The Consultation acknowledges the fact that removing the requirement for DPIAs may increase the risk that organisations will undertake processing that is high-risk without carrying out an adequate risk assessment of the impact of the processing. The Consultation suggests that this would be mitigated by the requirements of the PMP, which would require organisations to have in place the processes which allow for the necessary identification and mitigation of data protection risks.
The ICO's response indicates that the Regulator is clearly supportive of DPIAs and recognises that they are a powerful tool in helping to ensure that privacy is embedded from the start. The ICO says that DPIAs 'enable the ICO to intervene to ensure personal data is effectively protected, including using enforcement action, where appropriate. While we agree that there is scope for more flexibility about the form that these assessments take, it is important that this does not result in a reduction in the robustness or quality of those assessments'.
The importance and relevance of DPIAs was highlighted in high profile use cases during the Coronavirus pandemic. The ICO considers that DPIAs have been an invaluable tool for controllers to plan and implement their approach to protecting personal data and it is unclear whether PMPs will provide the same protection, particularly for those carrying out new, high-risk, processing activities.
As with any successful governance programme, creating an appropriate audit trail to evidence that the requisite thought-process and risk assessment has been carried out is essential. In practice, it is unlikely that the removal of the requirement for DIPAs will see the end of formally documented processing risk assessments.
Removal of the ICO prior consultation requirement
Article 36 of the UK GDPR requires that, where an organisation has identified a high risk to people's rights and freedoms that cannot be mitigated, it must consult the ICO before starting the processing. Where an organisation fails to comply with its obligation under Article 36, the ICO may issue enforcement action, including penalties of up to £8.7 million or 2% of annual global turnover, whichever is greater.
The ICO has acknowledged that Article 36 is infrequently used. This could be because of the concern that prior consultation would lead to immediate enforcement action or further regulatory scrutiny. However, of those the ICO does receive, one in four results in a warning to organisations about their intended processing. It is important to note that none of these warnings have resulted in the processing being abandoned. Rather, the ICO has helped to ensure that appropriate protections have been put in place. It is no surprise, therefore, that the ICO argues that removing this provision would remove an important opportunity for the ICO to offer early engagement and support to organisations carrying out the most potentially high-risk processing.
Record keeping requirements under Article 30
The Consultation proposes to remove the record keeping requirements under Article 30 of the UK GDPR, which requires organisations to keep a record of their data processing activities. The Government acknowledges that there are risks that removing the requirements under Article 30 could hinder effective enforcement and offer less regulatory protection to data subjects. However, the Government considers the risks to be minimal and, in any event, suggests that the requirements under a PMP would still require certain records be kept, but simply allow organisations to have more flexibility about the way in which they do this. The idea is that organisations will be able to record their processing activities in a way that reflects the volume and sensitivity of the personal information they handle, and the type(s) of data processing they carry out. In addition, Articles 13 and 14 of the UK GDPR will still require much of the same information to be recorded in privacy notices.
Many practitioners are likely to welcome the removal of the record keeping requirements, as currently drafted in the UK GDPR, the records of processing obligations are prescriptive and quite burdensome to maintain. However, where maintained, such records have proven key to providing organisations with a snapshot of processing activities, related data categories, and organisational data flows and are a useful tool in the event of a personal data breach.
As with the other accountability requirements that are under discussion, the proposal acknowledges the importance of such records and will require organisations to develop similar internal mechanisms which track processing activities.
Breach reporting requirements
Currently, an organisation must inform the ICO of a data breach 'unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons'. As a result, breaches which present a low risk are notifiable, where a risk is not considered unlikely. The sentiment is that this threshold has resulted in organisations over-reporting data incidents to the ICO. To address this, the Consultation suggests that the threshold for reporting a data breach to the ICO be increased, so that organisations must report a breach unless the risk to individuals is not material. Breaches of the new reporting threshold would result in the same sanctions as under the current regime, carrying maximum fines of the greater of £8.7m or 2% of annual worldwide turnover.
Increasing the threshold for reporting breaches to the ICO consequently reduces the gap between the threshold for notifying data subjects. In addition, it increases the likelihood that fewer breaches will be reported to the ICO, including those that are likely to result in a risk to an individual's rights and freedoms. Guidance would clearly be required to enable organisations to understand what constitutes a 'non-material' risk, as well as examples of what is and is not reportable. In any event, given the current tendency for over-reporting and the burden this places on organisations and the ICO, the Government considers the benefits may outweigh the risks.
However, given that many data breaches and incidents increasingly impact more than one jurisdiction, the increase of the reporting threshold may result in UK regulators not being informed of incidents which are notified to European regulators, creating an enforcement void.
Obligation on data subjects to complain
There is currently no threshold to make a complaint to the ICO. The Consultation proposes introducing a requirement for a data subject to attempt to resolve their complaint directly with the data controller before lodging a complaint with the ICO. The Government suggests this would encourage more dialogue between data subjects and data controllers, and help to reduce the overall number of complaints if data subjects are required to resolve issues with the data controller before complaining to the regulator. This is akin to the requirements for making complaints to other regulatory bodies such as the Financial Ombudsman Service.
This proposal may not be welcome news to data subjects. However, to assist, the Consultation proposes to introduce a new requirement on data controllers which requires them to have a simple and transparent complaints handling process. It is likely that this would form part of the requirements for the PMP.
What does this mean for organisations?
For many, particularly those who have spent considerable time and money bringing themselves up to the standards of the UK GDPR, the proposed reforms are unlikely to materially change practices and processes that have already been implemented. In addition, multinational organisations will need to consider compliance with both UK and EU regulatory regimes, as well as other regimes. In practice, the governance structures implemented under the EU GDPR are likely to remain fundamentally unchanged, although any reforms will likely require an immediate review of current practices, procedures, and policies.
New market entrants, like FinTech organisations, may potentially have less compliance costs on entry; although it is likely that legal advice and external expertise will still be required to ensure that appropriate PMPs are implemented into organisational structures and, as noted above, the core definitions and principles of the UK GDPR remain unchanged.
Some organisations may be pleasantly surprised and find themselves in a position where they already effectively have a PMP in place and helpfully the ICO's Accountability Framework contains the foundational guidance for a PMP.
Notwithstanding the above, the Government has stressed that PMPs will help to encourage consistency and help to ensure that all organisations have approached privacy and data protection management in a proportionate and risk-based way for their businesses, which will undoubtedly be welcomed by a lot of organisations.
Where are we now?
The Consultation provides some clarity on the Government's proposed data strategy and the direction in which it wants to travel when it comes to adopting its own approach to data privacy law. The proposed approach is more akin to the governance framework for financial services, which focuses on the impact to the end customer and recognises that there cannot be a 'one size fits all' approach. The ultimate goal seems to be to ensure that requirements must be proportionate to the size of the organisation to enable innovation and ensure that business development is not hindered. It is unclear whether the accountability reforms achieve this goal.
The financial services sector is arguably one of the most mature industries when it comes to governance, and larger financial organisations are well versed in designing and implementing appropriate governance frameworks. However, it remains to be seen whether the more flexible approach will have the desired effect of creating a less burdensome compliance regime or result in greater complexities and a lack of consistency as each organisation implements processes which are self-determined. The introduction of PMPs may ultimately create additional costs in the M&A market where, on acquisition, many organisations may need to introduce new practices and procedures to align with the group.
A robust and transparent consultation process will be important to help industry leaders and the ICO understand how the proposals will apply across different sectors and technologies. As noted by the ICO in its response, 'the devil will be in the detail'.
Gita Shivarattan Partner
Ernst & Young LLP, London